source3/rpcclient/cmd_eventlog.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    RPC pipe client
   4
   5    Copyright (C) Günther Deschner 2009
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "rpcclient.h"
  23 #include "../librpc/gen_ndr/ndr_eventlog.h"
  24 #include "../librpc/gen_ndr/cli_eventlog.h"
  25 #include "rpc_client/init_lsa.h"
  26
  27 static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli,
  28                                     TALLOC_CTX *mem_ctx,
  29                                     const char *log,
  30                                     struct policy_handle *handle)
  31 {
  32         NTSTATUS status;
  33         struct eventlog_OpenUnknown0 unknown0;
  34         struct lsa_String logname, servername;
  35
  36         unknown0.unknown0 = 0x005c;
  37         unknown0.unknown1 = 0x0001;
  38
  39         init_lsa_String(&logname, log);
  40         init_lsa_String(&servername, NULL);
  41
  42         status = rpccli_eventlog_OpenEventLogW(cli, mem_ctx,
  43                                                &unknown0,
  44                                                &logname,
  45                                                &servername,
  46                                                0x00000001, /* major */
  47                                                0x00000001, /* minor */
  48                                                handle);
  49         if (!NT_STATUS_IS_OK(status)) {
  50                 return status;
  51         }
  52
  53         return NT_STATUS_OK;
  54 }
  55
  56 static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
  57                                      TALLOC_CTX *mem_ctx,
  58                                      int argc,
  59                                      const char **argv)
  60 {
  61         NTSTATUS status = NT_STATUS_OK;
  62         struct policy_handle handle;
  63
  64         uint32_t flags = EVENTLOG_BACKWARDS_READ |
  65                          EVENTLOG_SEQUENTIAL_READ;
  66         uint32_t offset = 0;
  67         uint32_t number_of_bytes = 0;
  68         uint8_t *data = NULL;
  69         uint32_t sent_size = 0;
  70         uint32_t real_size = 0;
  71
  72         if (argc < 2 || argc > 4) {
  73                 printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
  74                 return NT_STATUS_OK;
  75         }
  76
  77         if (argc >= 3) {
  78                 offset = atoi(argv[2]);
  79         }
  80
  81         if (argc >= 4) {
  82                 number_of_bytes = atoi(argv[3]);
  83                 data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
  84                 if (!data) {
  85                         goto done;
  86                 }
  87         }
  88
  89         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
  90         if (!NT_STATUS_IS_OK(status)) {
  91                 return status;
  92         }
  93
  94         do {
  95
  96                 enum ndr_err_code ndr_err;
  97                 DATA_BLOB blob;
  98                 struct EVENTLOGRECORD r;
  99                 uint32_t size = 0;
 100                 uint32_t pos = 0;
 101
 102                 status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
 103                                                        &handle,
 104                                                        flags,
 105                                                        offset,
 106                                                        number_of_bytes,
 107                                                        data,
 108                                                        &sent_size,
 109                                                        &real_size);
 110                 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL) &&
 111                     real_size > 0 ) {
 112                         number_of_bytes = real_size;
 113                         data = talloc_array(mem_ctx, uint8_t, real_size);
 114                         if (!data) {
 115                                 goto done;
 116                         }
 117                         status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
 118                                                                &handle,
 119                                                                flags,
 120                                                                offset,
 121                                                                number_of_bytes,
 122                                                                data,
 123                                                                &sent_size,
 124                                                                &real_size);
 125                 }
 126
 127                 if (!NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE) &&
 128                     !NT_STATUS_IS_OK(status)) {
 129                         goto done;
 130                 }
 131
 132                 number_of_bytes = 0;
 133
 134                 size = IVAL(data, pos);
 135
 136                 while (size > 0) {
 137
 138                         blob = data_blob_const(data + pos, size);
 139                         /* dump_data(0, blob.data, blob.length); */
 140                         ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
 141                                            (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
 142                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 143                                 status = ndr_map_error2ntstatus(ndr_err);
 144                                 goto done;
 145                         }
 146
 147                         NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
 148
 149                         pos += size;
 150
 151                         if (pos + 4 > sent_size) {
 152                                 break;
 153                         }
 154
 155                         size = IVAL(data, pos);
 156                 }
 157
 158                 offset++;
 159
 160         } while (NT_STATUS_IS_OK(status));
 161
 162  done:
 163         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 164
 165         return status;
 166 }
 167
 168 static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
 169                                         TALLOC_CTX *mem_ctx,
 170                                         int argc,
 171                                         const char **argv)
 172 {
 173         NTSTATUS status;
 174         struct policy_handle handle;
 175         uint32_t number = 0;
 176
 177         if (argc != 2) {
 178                 printf("Usage: %s logname\n", argv[0]);
 179                 return NT_STATUS_OK;
 180         }
 181
 182         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 183         if (!NT_STATUS_IS_OK(status)) {
 184                 return status;
 185         }
 186
 187         status = rpccli_eventlog_GetNumRecords(cli, mem_ctx,
 188                                                &handle,
 189                                                &number);
 190         if (!NT_STATUS_IS_OK(status)) {
 191                 goto done;
 192         }
 193
 194         printf("number of records: %d\n", number);
 195
 196  done:
 197         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 198
 199         return status;
 200 }
 201
 202 static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
 203                                           TALLOC_CTX *mem_ctx,
 204                                           int argc,
 205                                           const char **argv)
 206 {
 207         NTSTATUS status;
 208         struct policy_handle handle;
 209         uint32_t oldest_entry = 0;
 210
 211         if (argc != 2) {
 212                 printf("Usage: %s logname\n", argv[0]);
 213                 return NT_STATUS_OK;
 214         }
 215
 216         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 217         if (!NT_STATUS_IS_OK(status)) {
 218                 return status;
 219         }
 220
 221         status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx,
 222                                                  &handle,
 223                                                  &oldest_entry);
 224         if (!NT_STATUS_IS_OK(status)) {
 225                 goto done;
 226         }
 227
 228         printf("oldest entry: %d\n", oldest_entry);
 229
 230  done:
 231         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 232
 233         return status;
 234 }
 235
 236 static NTSTATUS cmd_eventlog_reportevent(struct rpc_pipe_client *cli,
 237                                          TALLOC_CTX *mem_ctx,
 238                                          int argc,
 239                                          const char **argv)
 240 {
 241         NTSTATUS status;
 242         struct policy_handle handle;
 243
 244         uint16_t num_of_strings = 1;
 245         uint32_t data_size = 0;
 246         struct lsa_String servername;
 247         struct lsa_String *strings;
 248         uint8_t *data = NULL;
 249         uint32_t record_number = 0;
 250         time_t time_written = 0;
 251
 252         if (argc != 2) {
 253                 printf("Usage: %s logname\n", argv[0]);
 254                 return NT_STATUS_OK;
 255         }
 256
 257         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 258         if (!NT_STATUS_IS_OK(status)) {
 259                 return status;
 260         }
 261
 262         strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
 263         if (!strings) {
 264                 return NT_STATUS_NO_MEMORY;
 265         }
 266
 267         init_lsa_String(&strings[0], "test event written by rpcclient\n");
 268         init_lsa_String(&servername, NULL);
 269
 270         status = rpccli_eventlog_ReportEventW(cli, mem_ctx,
 271                                               &handle,
 272                                               time(NULL),
 273                                               EVENTLOG_INFORMATION_TYPE,
 274                                               0, /* event_category */
 275                                               0, /* event_id */
 276                                               num_of_strings,
 277                                               data_size,
 278                                               &servername,
 279                                               NULL, /* user_sid */
 280                                               &strings,
 281                                               data,
 282                                               0, /* flags */
 283                                               &record_number,
 284                                               &time_written);
 285
 286         if (!NT_STATUS_IS_OK(status)) {
 287                 goto done;
 288         }
 289
 290         printf("entry: %d written at %s\n", record_number,
 291                 http_timestring(talloc_tos(), time_written));
 292
 293  done:
 294         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 295
 296         return status;
 297 }
 298
 299 static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
 300                                                TALLOC_CTX *mem_ctx,
 301                                                int argc,
 302                                                const char **argv)
 303 {
 304         NTSTATUS status;
 305         struct policy_handle handle;
 306
 307         uint16_t num_of_strings = 1;
 308         uint32_t data_size = 0;
 309         struct lsa_String servername, sourcename;
 310         struct lsa_String *strings;
 311         uint8_t *data = NULL;
 312         uint32_t record_number = 0;
 313         time_t time_written = 0;
 314
 315         if (argc != 2) {
 316                 printf("Usage: %s logname\n", argv[0]);
 317                 return NT_STATUS_OK;
 318         }
 319
 320         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 321         if (!NT_STATUS_IS_OK(status)) {
 322                 return status;
 323         }
 324
 325         strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
 326         if (!strings) {
 327                 return NT_STATUS_NO_MEMORY;
 328         }
 329
 330         init_lsa_String(&strings[0], "test event written by rpcclient\n");
 331         init_lsa_String(&servername, NULL);
 332         init_lsa_String(&sourcename, "rpcclient");
 333
 334         status = rpccli_eventlog_ReportEventAndSourceW(cli, mem_ctx,
 335                                                        &handle,
 336                                                        time(NULL),
 337                                                        EVENTLOG_INFORMATION_TYPE,
 338                                                        0, /* event_category */
 339                                                        0, /* event_id */
 340                                                        &sourcename,
 341                                                        num_of_strings,
 342                                                        data_size,
 343                                                        &servername,
 344                                                        NULL, /* user_sid */
 345                                                        &strings,
 346                                                        data,
 347                                                        0, /* flags */
 348                                                        &record_number,
 349                                                        &time_written);
 350         if (!NT_STATUS_IS_OK(status)) {
 351                 goto done;
 352         }
 353
 354         printf("entry: %d written at %s\n", record_number,
 355                 http_timestring(talloc_tos(), time_written));
 356
 357  done:
 358         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 359
 360         return status;
 361 }
 362
 363 static NTSTATUS cmd_eventlog_registerevsource(struct rpc_pipe_client *cli,
 364                                               TALLOC_CTX *mem_ctx,
 365                                               int argc,
 366                                               const char **argv)
 367 {
 368         NTSTATUS status;
 369         struct policy_handle log_handle;
 370         struct lsa_String module_name, reg_module_name;
 371         struct eventlog_OpenUnknown0 unknown0;
 372
 373         unknown0.unknown0 = 0x005c;
 374         unknown0.unknown1 = 0x0001;
 375
 376         if (argc != 2) {
 377                 printf("Usage: %s logname\n", argv[0]);
 378                 return NT_STATUS_OK;
 379         }
 380
 381         init_lsa_String(&module_name, "rpcclient");
 382         init_lsa_String(&reg_module_name, NULL);
 383
 384         status = rpccli_eventlog_RegisterEventSourceW(cli, mem_ctx,
 385                                                       &unknown0,
 386                                                       &module_name,
 387                                                       &reg_module_name,
 388                                                       1, /* major_version */
 389                                                       1, /* minor_version */
 390                                                       &log_handle);
 391         if (!NT_STATUS_IS_OK(status)) {
 392                 goto done;
 393         }
 394
 395  done:
 396         rpccli_eventlog_DeregisterEventSource(cli, mem_ctx, &log_handle);
 397
 398         return status;
 399 }
 400
 401 static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
 402                                        TALLOC_CTX *mem_ctx,
 403                                        int argc,
 404                                        const char **argv)
 405 {
 406         NTSTATUS status;
 407         struct policy_handle handle;
 408         struct lsa_String backup_filename;
 409         const char *tmp;
 410
 411         if (argc != 3) {
 412                 printf("Usage: %s logname backupname\n", argv[0]);
 413                 return NT_STATUS_OK;
 414         }
 415
 416         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 417         if (!NT_STATUS_IS_OK(status)) {
 418                 return status;
 419         }
 420
 421         tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
 422         if (!tmp) {
 423                 status = NT_STATUS_NO_MEMORY;
 424                 goto done;
 425         }
 426
 427         init_lsa_String(&backup_filename, tmp);
 428
 429         status = rpccli_eventlog_BackupEventLogW(cli, mem_ctx,
 430                                                  &handle,
 431                                                  &backup_filename);
 432
 433  done:
 434         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 435
 436         return status;
 437 }
 438
 439 static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
 440                                      TALLOC_CTX *mem_ctx,
 441                                      int argc,
 442                                      const char **argv)
 443 {
 444         NTSTATUS status;
 445         struct policy_handle handle;
 446         uint8_t *buffer = NULL;
 447         uint32_t buf_size = 0;
 448         uint32_t bytes_needed = 0;
 449
 450         if (argc != 2) {
 451                 printf("Usage: %s logname\n", argv[0]);
 452                 return NT_STATUS_OK;
 453         }
 454
 455         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 456         if (!NT_STATUS_IS_OK(status)) {
 457                 return status;
 458         }
 459
 460         status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
 461                                                    &handle,
 462                                                    0, /* level */
 463                                                    buffer,
 464                                                    buf_size,
 465                                                    &bytes_needed);
 466         if (!NT_STATUS_IS_OK(status) &&
 467             !NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
 468                 goto done;
 469         }
 470
 471         buf_size = bytes_needed;
 472         buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
 473         if (!buffer) {
 474                 status = NT_STATUS_NO_MEMORY;
 475                 goto done;
 476         }
 477
 478         status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
 479                                                    &handle,
 480                                                    0, /* level */
 481                                                    buffer,
 482                                                    buf_size,
 483                                                    &bytes_needed);
 484         if (!NT_STATUS_IS_OK(status)) {
 485                 goto done;
 486         }
 487
 488  done:
 489         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 490
 491         return status;
 492 }
 493
 494
 495 struct cmd_set eventlog_commands[] = {
 496         { "EVENTLOG" },
 497         { "eventlog_readlog",           RPC_RTYPE_NTSTATUS,     cmd_eventlog_readlog,           NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Read Eventlog", "" },
 498         { "eventlog_numrecord",         RPC_RTYPE_NTSTATUS,     cmd_eventlog_numrecords,        NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get number of records", "" },
 499         { "eventlog_oldestrecord",      RPC_RTYPE_NTSTATUS,     cmd_eventlog_oldestrecord,      NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get oldest record", "" },
 500         { "eventlog_reportevent",       RPC_RTYPE_NTSTATUS,     cmd_eventlog_reportevent,       NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Report event", "" },
 501         { "eventlog_reporteventsource", RPC_RTYPE_NTSTATUS,     cmd_eventlog_reporteventsource, NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Report event and source", "" },
 502         { "eventlog_registerevsource",  RPC_RTYPE_NTSTATUS,     cmd_eventlog_registerevsource,  NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Register event source", "" },
 503         { "eventlog_backuplog",         RPC_RTYPE_NTSTATUS,     cmd_eventlog_backuplog,         NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Backup Eventlog File", "" },
 504         { "eventlog_loginfo",           RPC_RTYPE_NTSTATUS,     cmd_eventlog_loginfo,           NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get Eventlog Information", "" },
 505         { NULL }
 506 };