source3/rpcclient/cmd_eventlog.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    RPC pipe client
   4
   5    Copyright (C) Günther Deschner 2009
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "rpcclient.h"
  23 #include "../librpc/gen_ndr/ndr_eventlog.h"
  24 #include "../librpc/gen_ndr/cli_eventlog.h"
  25
  26 static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli,
  27                                     TALLOC_CTX *mem_ctx,
  28                                     const char *log,
  29                                     struct policy_handle *handle)
  30 {
  31         NTSTATUS status;
  32         struct eventlog_OpenUnknown0 unknown0;
  33         struct lsa_String logname, servername;
  34
  35         unknown0.unknown0 = 0x005c;
  36         unknown0.unknown1 = 0x0001;
  37
  38         init_lsa_String(&logname, log);
  39         init_lsa_String(&servername, NULL);
  40
  41         status = rpccli_eventlog_OpenEventLogW(cli, mem_ctx,
  42                                                &unknown0,
  43                                                &logname,
  44                                                &servername,
  45                                                0x00000001, /* major */
  46                                                0x00000001, /* minor */
  47                                                handle);
  48         if (!NT_STATUS_IS_OK(status)) {
  49                 return status;
  50         }
  51
  52         return NT_STATUS_OK;
  53 }
  54
  55 static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
  56                                      TALLOC_CTX *mem_ctx,
  57                                      int argc,
  58                                      const char **argv)
  59 {
  60         NTSTATUS status = NT_STATUS_OK;
  61         struct policy_handle handle;
  62
  63         uint32_t flags = EVENTLOG_BACKWARDS_READ |
  64                          EVENTLOG_SEQUENTIAL_READ;
  65         uint32_t offset = 0;
  66         uint32_t number_of_bytes = 0;
  67         uint8_t *data = NULL;
  68         uint32_t sent_size = 0;
  69         uint32_t real_size = 0;
  70
  71         if (argc < 2 || argc > 4) {
  72                 printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
  73                 return NT_STATUS_OK;
  74         }
  75
  76         if (argc >= 3) {
  77                 offset = atoi(argv[2]);
  78         }
  79
  80         if (argc >= 4) {
  81                 number_of_bytes = atoi(argv[3]);
  82                 data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
  83                 if (!data) {
  84                         goto done;
  85                 }
  86         }
  87
  88         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
  89         if (!NT_STATUS_IS_OK(status)) {
  90                 return status;
  91         }
  92
  93         do {
  94
  95                 enum ndr_err_code ndr_err;
  96                 DATA_BLOB blob;
  97                 struct EVENTLOGRECORD r;
  98                 uint32_t size = 0;
  99                 uint32_t pos = 0;
 100
 101                 status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
 102                                                        &handle,
 103                                                        flags,
 104                                                        offset,
 105                                                        number_of_bytes,
 106                                                        data,
 107                                                        &sent_size,
 108                                                        &real_size);
 109                 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL) &&
 110                     real_size > 0 ) {
 111                         number_of_bytes = real_size;
 112                         data = talloc_array(mem_ctx, uint8_t, real_size);
 113                         if (!data) {
 114                                 goto done;
 115                         }
 116                         status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
 117                                                                &handle,
 118                                                                flags,
 119                                                                offset,
 120                                                                number_of_bytes,
 121                                                                data,
 122                                                                &sent_size,
 123                                                                &real_size);
 124                 }
 125
 126                 if (!NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE) &&
 127                     !NT_STATUS_IS_OK(status)) {
 128                         goto done;
 129                 }
 130
 131                 number_of_bytes = 0;
 132
 133                 size = IVAL(data, pos);
 134
 135                 while (size > 0) {
 136
 137                         blob = data_blob_const(data + pos, size);
 138                         /* dump_data(0, blob.data, blob.length); */
 139                         ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
 140                                            (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
 141                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 142                                 status = ndr_map_error2ntstatus(ndr_err);
 143                                 goto done;
 144                         }
 145
 146                         NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
 147
 148                         pos += size;
 149
 150                         if (pos + 4 > sent_size) {
 151                                 break;
 152                         }
 153
 154                         size = IVAL(data, pos);
 155                 }
 156
 157                 offset++;
 158
 159         } while (NT_STATUS_IS_OK(status));
 160
 161  done:
 162         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 163
 164         return status;
 165 }
 166
 167 static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
 168                                         TALLOC_CTX *mem_ctx,
 169                                         int argc,
 170                                         const char **argv)
 171 {
 172         NTSTATUS status;
 173         struct policy_handle handle;
 174         uint32_t number = 0;
 175
 176         if (argc != 2) {
 177                 printf("Usage: %s logname\n", argv[0]);
 178                 return NT_STATUS_OK;
 179         }
 180
 181         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 182         if (!NT_STATUS_IS_OK(status)) {
 183                 return status;
 184         }
 185
 186         status = rpccli_eventlog_GetNumRecords(cli, mem_ctx,
 187                                                &handle,
 188                                                &number);
 189         if (!NT_STATUS_IS_OK(status)) {
 190                 goto done;
 191         }
 192
 193         printf("number of records: %d\n", number);
 194
 195  done:
 196         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 197
 198         return status;
 199 }
 200
 201 static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
 202                                           TALLOC_CTX *mem_ctx,
 203                                           int argc,
 204                                           const char **argv)
 205 {
 206         NTSTATUS status;
 207         struct policy_handle handle;
 208         uint32_t oldest_entry = 0;
 209
 210         if (argc != 2) {
 211                 printf("Usage: %s logname\n", argv[0]);
 212                 return NT_STATUS_OK;
 213         }
 214
 215         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 216         if (!NT_STATUS_IS_OK(status)) {
 217                 return status;
 218         }
 219
 220         status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx,
 221                                                  &handle,
 222                                                  &oldest_entry);
 223         if (!NT_STATUS_IS_OK(status)) {
 224                 goto done;
 225         }
 226
 227         printf("oldest entry: %d\n", oldest_entry);
 228
 229  done:
 230         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 231
 232         return status;
 233 }
 234
 235 static NTSTATUS cmd_eventlog_reportevent(struct rpc_pipe_client *cli,
 236                                          TALLOC_CTX *mem_ctx,
 237                                          int argc,
 238                                          const char **argv)
 239 {
 240         NTSTATUS status;
 241         struct policy_handle handle;
 242
 243         uint16_t num_of_strings = 1;
 244         uint32_t data_size = 0;
 245         struct lsa_String servername;
 246         struct lsa_String *strings;
 247         uint8_t *data = NULL;
 248         uint32_t record_number = 0;
 249         time_t time_written = 0;
 250
 251         if (argc != 2) {
 252                 printf("Usage: %s logname\n", argv[0]);
 253                 return NT_STATUS_OK;
 254         }
 255
 256         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 257         if (!NT_STATUS_IS_OK(status)) {
 258                 return status;
 259         }
 260
 261         strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
 262         if (!strings) {
 263                 return NT_STATUS_NO_MEMORY;
 264         }
 265
 266         init_lsa_String(&strings[0], "test event written by rpcclient\n");
 267         init_lsa_String(&servername, NULL);
 268
 269         status = rpccli_eventlog_ReportEventW(cli, mem_ctx,
 270                                               &handle,
 271                                               time(NULL),
 272                                               EVENTLOG_INFORMATION_TYPE,
 273                                               0, /* event_category */
 274                                               0, /* event_id */
 275                                               num_of_strings,
 276                                               data_size,
 277                                               &servername,
 278                                               NULL, /* user_sid */
 279                                               &strings,
 280                                               data,
 281                                               0, /* flags */
 282                                               &record_number,
 283                                               &time_written);
 284
 285         if (!NT_STATUS_IS_OK(status)) {
 286                 goto done;
 287         }
 288
 289         printf("entry: %d written at %s\n", record_number,
 290                 http_timestring(talloc_tos(), time_written));
 291
 292  done:
 293         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 294
 295         return status;
 296 }
 297
 298 static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
 299                                                TALLOC_CTX *mem_ctx,
 300                                                int argc,
 301                                                const char **argv)
 302 {
 303         NTSTATUS status;
 304         struct policy_handle handle;
 305
 306         uint16_t num_of_strings = 1;
 307         uint32_t data_size = 0;
 308         struct lsa_String servername, sourcename;
 309         struct lsa_String *strings;
 310         uint8_t *data = NULL;
 311         uint32_t record_number = 0;
 312         time_t time_written = 0;
 313
 314         if (argc != 2) {
 315                 printf("Usage: %s logname\n", argv[0]);
 316                 return NT_STATUS_OK;
 317         }
 318
 319         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 320         if (!NT_STATUS_IS_OK(status)) {
 321                 return status;
 322         }
 323
 324         strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
 325         if (!strings) {
 326                 return NT_STATUS_NO_MEMORY;
 327         }
 328
 329         init_lsa_String(&strings[0], "test event written by rpcclient\n");
 330         init_lsa_String(&servername, NULL);
 331         init_lsa_String(&sourcename, "rpcclient");
 332
 333         status = rpccli_eventlog_ReportEventAndSourceW(cli, mem_ctx,
 334                                                        &handle,
 335                                                        time(NULL),
 336                                                        EVENTLOG_INFORMATION_TYPE,
 337                                                        0, /* event_category */
 338                                                        0, /* event_id */
 339                                                        &sourcename,
 340                                                        num_of_strings,
 341                                                        data_size,
 342                                                        &servername,
 343                                                        NULL, /* user_sid */
 344                                                        &strings,
 345                                                        data,
 346                                                        0, /* flags */
 347                                                        &record_number,
 348                                                        &time_written);
 349         if (!NT_STATUS_IS_OK(status)) {
 350                 goto done;
 351         }
 352
 353         printf("entry: %d written at %s\n", record_number,
 354                 http_timestring(talloc_tos(), time_written));
 355
 356  done:
 357         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 358
 359         return status;
 360 }
 361
 362 static NTSTATUS cmd_eventlog_registerevsource(struct rpc_pipe_client *cli,
 363                                               TALLOC_CTX *mem_ctx,
 364                                               int argc,
 365                                               const char **argv)
 366 {
 367         NTSTATUS status;
 368         struct policy_handle log_handle;
 369         struct lsa_String module_name, reg_module_name;
 370         struct eventlog_OpenUnknown0 unknown0;
 371
 372         unknown0.unknown0 = 0x005c;
 373         unknown0.unknown1 = 0x0001;
 374
 375         if (argc != 2) {
 376                 printf("Usage: %s logname\n", argv[0]);
 377                 return NT_STATUS_OK;
 378         }
 379
 380         init_lsa_String(&module_name, "rpcclient");
 381         init_lsa_String(&reg_module_name, NULL);
 382
 383         status = rpccli_eventlog_RegisterEventSourceW(cli, mem_ctx,
 384                                                       &unknown0,
 385                                                       &module_name,
 386                                                       &reg_module_name,
 387                                                       1, /* major_version */
 388                                                       1, /* minor_version */
 389                                                       &log_handle);
 390         if (!NT_STATUS_IS_OK(status)) {
 391                 goto done;
 392         }
 393
 394  done:
 395         rpccli_eventlog_DeregisterEventSource(cli, mem_ctx, &log_handle);
 396
 397         return status;
 398 }
 399
 400 static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
 401                                        TALLOC_CTX *mem_ctx,
 402                                        int argc,
 403                                        const char **argv)
 404 {
 405         NTSTATUS status;
 406         struct policy_handle handle;
 407         struct lsa_String backup_filename;
 408         const char *tmp;
 409
 410         if (argc != 3) {
 411                 printf("Usage: %s logname backupname\n", argv[0]);
 412                 return NT_STATUS_OK;
 413         }
 414
 415         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 416         if (!NT_STATUS_IS_OK(status)) {
 417                 return status;
 418         }
 419
 420         tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
 421         if (!tmp) {
 422                 status = NT_STATUS_NO_MEMORY;
 423                 goto done;
 424         }
 425
 426         init_lsa_String(&backup_filename, tmp);
 427
 428         status = rpccli_eventlog_BackupEventLogW(cli, mem_ctx,
 429                                                  &handle,
 430                                                  &backup_filename);
 431
 432  done:
 433         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 434
 435         return status;
 436 }
 437
 438 static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
 439                                      TALLOC_CTX *mem_ctx,
 440                                      int argc,
 441                                      const char **argv)
 442 {
 443         NTSTATUS status;
 444         struct policy_handle handle;
 445         uint8_t *buffer = NULL;
 446         uint32_t buf_size = 0;
 447         uint32_t bytes_needed = 0;
 448
 449         if (argc != 2) {
 450                 printf("Usage: %s logname\n", argv[0]);
 451                 return NT_STATUS_OK;
 452         }
 453
 454         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 455         if (!NT_STATUS_IS_OK(status)) {
 456                 return status;
 457         }
 458
 459         status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
 460                                                    &handle,
 461                                                    0, /* level */
 462                                                    buffer,
 463                                                    buf_size,
 464                                                    &bytes_needed);
 465         if (!NT_STATUS_IS_OK(status) &&
 466             !NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
 467                 goto done;
 468         }
 469
 470         buf_size = bytes_needed;
 471         buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
 472         if (!buffer) {
 473                 status = NT_STATUS_NO_MEMORY;
 474                 goto done;
 475         }
 476
 477         status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
 478                                                    &handle,
 479                                                    0, /* level */
 480                                                    buffer,
 481                                                    buf_size,
 482                                                    &bytes_needed);
 483         if (!NT_STATUS_IS_OK(status)) {
 484                 goto done;
 485         }
 486
 487  done:
 488         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 489
 490         return status;
 491 }
 492
 493
 494 struct cmd_set eventlog_commands[] = {
 495         { "EVENTLOG" },
 496         { "eventlog_readlog",           RPC_RTYPE_NTSTATUS,     cmd_eventlog_readlog,           NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Read Eventlog", "" },
 497         { "eventlog_numrecord",         RPC_RTYPE_NTSTATUS,     cmd_eventlog_numrecords,        NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get number of records", "" },
 498         { "eventlog_oldestrecord",      RPC_RTYPE_NTSTATUS,     cmd_eventlog_oldestrecord,      NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get oldest record", "" },
 499         { "eventlog_reportevent",       RPC_RTYPE_NTSTATUS,     cmd_eventlog_reportevent,       NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Report event", "" },
 500         { "eventlog_reporteventsource", RPC_RTYPE_NTSTATUS,     cmd_eventlog_reporteventsource, NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Report event and source", "" },
 501         { "eventlog_registerevsource",  RPC_RTYPE_NTSTATUS,     cmd_eventlog_registerevsource,  NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Register event source", "" },
 502         { "eventlog_backuplog",         RPC_RTYPE_NTSTATUS,     cmd_eventlog_backuplog,         NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Backup Eventlog File", "" },
 503         { "eventlog_loginfo",           RPC_RTYPE_NTSTATUS,     cmd_eventlog_loginfo,           NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get Eventlog Information", "" },
 504         { NULL }
 505 };