 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / July 2007Regarding Windows Event Log File Parser in JAVA
Hi, Can Anyone send me Parser source code for Windows Event Log in Java Thanks in Advance Amit amit3281 wrote: > Hi, > [quoted text clipped - 3 lines] > > Amit <http://msdn2.microsoft.com/en-us/library/bb309026.aspx> > amit3281 wrote: >> Hi, [quoted text clipped - 6 lines] > > <http://msdn2.microsoft.com/en-us/library/bb309026.aspx> a skeletal implementation public class Win32EventLogParser { public Win32EventLog readEventLog(java.io.ObjectInput in) throws java.io.IOException, ClassNotFoundException { Win32EventLog log = new Win32EventLog(); log.readExternal(in); return log; } } @SuppressWarnings("unused") public class Win32EventLog implements java.io.Externalizable { private static final long serialVersionUID = 1L; private Win32EventLogHeader logHeader = new Win32EventLogHeader(); private java.util.List<Win32EventLogRecord> logRecords = new java.util.ArrayList<Win32EventLogRecord>(); public void readExternal(java.io.ObjectInput in) throws java.io.IOException, ClassNotFoundException { // TODO } public void writeExternal(java.io.ObjectOutput out) throws java.io.IOException { // TODO } } @SuppressWarnings("unused") public class Win32EventLogHeader implements java.io.Externalizable { private static final long serialVersionUID = 1L; public static final Long ELF_LOGFILE_HEADER_DIRTY = 0x0001L; public static final Long ELF_LOGFILE_HEADER_WRAP = 0x0002L; public static final Long ELF_LOGFILE_LOGFULL_WRITTEN = 0x0004L; public static final Long ELF_LOGFILE_ARCHIVE_SET = 0x0008L; private Long HeaderSize; private Long Signature; private Long MajorVersion; private Long MinorVersion; private Long StartOffset; private Long EndOffset; private Long CurrentRecordNumber; private Long OldestRecordNumber; private Long MaxSize; private Long Flags; private Long Retention; private Long EndHeaderSize; public static Win32EventLogHeader readEventLogHeader(java.io.ObjectInputStream in) { // TODO return null; } public void readExternal(java.io.ObjectInput in) throws java.io.IOException, ClassNotFoundException { // TODO } public void writeExternal(java.io.ObjectOutput out) throws java.io.IOException { // TODO } } @SuppressWarnings("unused") public class Win32EventLogRecord implements java.io.Externalizable { private static final long serialVersionUID = 1L; public static final Long EVENTLOG_ERROR_TYPE = 0x0001L; public static final Long EVENTLOG_AUDIT_FAILURE = 0x0010L; public static final Long EVENTLOG_AUDIT_SUCCESS = 0x0008L; public static final Long EVENTLOG_INFORMATION_TYPE = 0x0004L; public static final Long EVENTLOG_WARNING_TYPE = 0x0002L; private Long Length; private Long Reserved; private Long RecordNumber; private Long TimeGenerated; private Long TimeWritten; private Long EventID; private Integer EventType; private Integer NumStrings; private Integer EventCategory; private Integer ReservedFlags; private Long ClosingRecordNumber; private Long StringOffset; private Long UserSidLength; private Long UserSidOffset; private Long DataLength; private Long DataOffset; public void readExternal(java.io.ObjectInput in) throws java.io.IOException, ClassNotFoundException { // TODO } public void writeExternal(java.io.ObjectOutput out) throws java.io.IOException { // TODO } } @SuppressWarnings("unused") public class Win32EventLogEOF implements java.io.Externalizable { private static final long serialVersionUID = 1L; private Long RecordSizeBeginning; private Long One; private Long Two; private Long Three; private Long Four; private Long BeginRecord; private Long EndRecord; private Long CurrentRecordNumber; private Long OldestRecordNumber; private Long RecordSizeEnd; public void readExternal(java.io.ObjectInput in) throws java.io.IOException, ClassNotFoundException { // TODO } public void writeExternal(java.io.ObjectOutput out) throws java.io.IOException { // TODO } } > > amit3281 wrote: > >> Hi, [quoted text clipped - 159 lines] > > - Show quoted text - Hi, Thanks for this stuff it's very helpful, but i am naive user in java and i am unable to play with binary data to move to particular offset and to read data from this pattern also i need to run this code in Linux for JAVA. Can you explain me binary data handling, I am a c++ user commands for playing with byte arrays move to particular offset, skip partikular offset, as in c++ i can very well do it using pointers but i don't know how to do it with java Thanks in advance amit3281 wrote: > Hi, > Thanks for this stuff it's very helpful, but i am naive user in java > and i am unable to play with binary data to move to particular offset > and to read data from this pattern also i need to run this code in > Linux for JAVA. Just so I'm not misunderstanding you. You want to parse backed-up Win32 event log files, not manipulate active event logs? Is this correct? If so: I'm not certain why you want to read Win32 event log files on a Linux platform, but... There seems to be many gotchas involved in the whole \wide\ topic of Win32 Event logging system. cf: <http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm> One practical matter seems to be data format the files are written to. See below for retrieving the header info. > Can you explain me binary data handling, I am a c++ user > commands for playing with byte arrays move to particular offset, skip > partikular offset, as in c++ i can very well do it using pointers but > i don't know how to do it with java Probably not. I'm pretty new to Java myself. Java has Basic I/O and New I/O. For an overview tutorial see: <http://java.sun.com/docs/books/tutorial/essential/io/index.html> Maybe a java.io.RandomAccessFile type would work well here. ? If you weren't working from a Linux platform, and given that you are familiar with C++, I would say that probably the mobetter way to approach this would be through Java Native Interface to the Win32 API. This writes a basic header to a file and reads it back on my Win32 platform. I can use it to read header info from backed-up event log files on my system. import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.nio.ByteBuffer; import java.nio.ByteOrder; public class Test { public static void main(String[] args) { FileInputStream fis; FileOutputStream fos; try { Win32EventLogHeader header = new Win32EventLogHeader(); fos = new FileOutputStream("test"); header.writeHeader(fos); fos.close(); fis = new FileInputStream("test"); header.readHeader(fis); fis.close(); } catch (FileNotFoundException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } } public static class Win32EventLogHeader { public int[] data = {0x30,0x654C664C,0x1,0x1, -0x1,-0x1,-0x1,0x0,0x80000,0x0,0x0,0x30}; public void writeHeader(OutputStream out) throws IOException { for(int i : data) { ByteBuffer buff = ByteBuffer.allocate(4); buff.order(ByteOrder.LITTLE_ENDIAN).putInt(i); out.write(buff.array()); } } public void readHeader(InputStream in) throws IOException { int count = 0; int tmp; while((tmp = in.read()) > -1 && count < 12) { data[count] = Integer.reverseBytes(tmp); } } } } > public void readHeader(InputStream in) > throws IOException [quoted text clipped - 8 lines] > } > } Oops, old version, sorry. public void readHeader(InputStream in) throws IOException { ByteBuffer buff = ByteBuffer.allocate(48); buff.order(ByteOrder.BIG_ENDIAN); int tmp; byte[] bytes = new byte[4]; int count = 0; while((tmp = in.read(bytes)) > -1 && count < 12) { buff.put(bytes); count++; } buff.flip(); for(int i = 0; i < 11; i++) { data[i] = buff.getInt(); } } >Can Anyone send me Parser source code for Windows Event Log in Java if you don't find one, these tools might help http://mindprod.com/jgloss/csv.html http://mindprod.com/jgloss/regex.html http://mindprod.com/jgloss/parser.html That is an ascending list of hammers. -- Roedy Green Canadian Mind Products The Java Glossary http://mindprod.com On Jul 13, 9:20 pm, Roedy Green <see_webs...@mindprod.com.invalid> wrote: > On Tue, 10 Jul 2007 06:30:22 -0700, amit3...@gmail.com wrote, quoted > or indirectly quoted someone who said : [quoted text clipped - 9 lines] > Roedy Green Canadian Mind Products > The Java Glossaryhttp://mindprod.com Thanks for all this stuff, it's a great help for me, also can anyone help me how to skip some bytes reading bytebuffer, Also I need to know is there any way in java so that i can typecast whole class to bytebuffer and members get it's value in it, Like C++ when we typecast structure in byte buffer we get all the structure elements populated Also I need to know is there any way i can have pointer of bytebuffer(read pointer) which i can increment say by 8 or so. Thanks in Advance On Jul 16, 1:58 am, amit3...@gmail.com wrote: > Thanks for all this stuff, it's a great help for me, also can anyone > help me how to skip some bytes reading bytebuffer, The obvious method is just to read those bytes and ignore them. > Also I need to know is there any way in java so that i can typecast > whole class to bytebuffer and members get it's value in it, Like C++ > when we typecast structure in byte buffer we get all the structure > elements populated Nope. You should either use serialization, or if it's an existing file format you want to read, create a data structure in Java classes that corresponds to the format and write a constructor that reads the data from a byte buffer and uses it to figure out what values to assign its members. For example it might have a few integer members and an array member, read a header, assign the loose integers, create an array of the appropriate size based on this info, and read more data to populate the array. The C/C++ method of just casting data to a struct is brittle anyway, since byte order and packing/layout can vary from one system or application to the next. > Also I need to know is there any way i can have pointer of > bytebuffer(read pointer) which i can increment say by 8 or so. Well if you have a byte array you can jump by eight by adding eight to an array index. If you're looking to read in 64-bit integers or something from some file format, you'll need to know the format's byte ordering for these values, and read sets of eight bytes, multiply by the appropriate powers of 2 (or shift-left them), and add them (or logical-or them) together to construct Java longs. Working with binary file formats in Java can be a bit of a mess, but the result should be robust, unlike C code full of casts when you change compiler or try to use it on a different type of hardware (e.g. a SPARC instead of x86)... > On Jul 16, 1:58 am, amit3...@gmail.com wrote: > [quoted text clipped - 35 lines] > change compiler or try to use it on a different type of hardware (e.g. > a SPARC instead of x86)... Thanks a lot for such a quick and helpful responses. >Also I need to know is there any way in java so that i can typecast >whole class to bytebuffer and members get it's value in it, Like C++ >when we typecast structure in byte buffer we get all the structure >elements populated Java's use of references to independent objects even for Strings and arrays pretty well precludes that COBOL/C style structure processing.  SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com amit3281 wrote > Thanks for all this stuff, it's a great help for me, also can anyone > help me how to skip some bytes reading bytebuffer, RandomAccessFile has the .getFilePointer() and .seek(long) methods. Both RandomAccessFile and FileInputStream have the .getFileChannel() method, but I've not used the java.nio package yet so I couldn't be of any help there. There's a series of FileChannel and ByteBuffer tutorials here: <http://www.developer.com/java/article.php/1473151> > amit3281 wrote > [quoted text clipped - 7 lines] > There's a series of FileChannel and ByteBuffer tutorials here: > <http://www.developer.com/java/article.php/1473151> Hi, I had read this article few days before, http://computer.forensikblog.de/en/2007/02/a_common_misconception.html this tells that event logs rotates on same file so it may not compulsary to get first event at same place can anyone clear me this. Also I want to for what the first 4 bytes in Event Log represents, before (LfLe). 30 00 00 00 4c 66 4c 65 (LfLe) Thanks in Advance Amit Papriwal > > amit3281 wrote > [quoted text clipped - 20 lines] > Thanks in Advance > Amit Papriwal I think i had left some fields this is whole header, but which type of header, is this file header........ Thanks and Regards Amit >> I had read this article few days >> before,http://computer.forensikblog.de/en/2007/02/a_common_misconception.html >> this tells that event logs rotates on same file so it may not >> compulsary to get first event at same place can anyone clear me this. Please, please see the links to the Microsoft Developer Network Library that I have posted here and in another thread. The MSDN Library is even multi-lingual, at the top of the page there is a drop down menu to select from the languages your choice. Here is the link to Windows Events, it is an overview topic with links to increasingly finer detailed topics. <http://msdn2.microsoft.com/en-us/library/aa964766.aspx> Here is the link to Event Logging Structures, it is an overview topic with links to increasingly finer detailed topics. <http://msdn2.microsoft.com/en-us/library/aa363659.aspx> >> Also I want to for what the first 4 bytes in Event Log represents, >> before (LfLe). [quoted text clipped - 4 lines] > this is whole header, but which type of header, is this file > header........ Here is the link to ELF_LOGFILE_HEADER, it is a detailed specification for the ELF_LOGFILE_HEADER. <http://msdn2.microsoft.com/en-us/library/bb309024.aspx> Here is the link to EVENTLOGRECORD, it is a detailed specification for the EVENTLOGRECORD. <http://msdn2.microsoft.com/en-us/library/aa363646.aspx> ELF_EOF_RECORD Here is the link to ELF_EOF_RECORD, it is a detailed specification for the ELF_EOF_RECORD. <http://msdn2.microsoft.com/en-us/library/bb309022.aspx> Reiterating some other links I've posted: <http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm> <http://java.sun.com/docs/books/tutorial/essential/io/index.html> <http://java.sun.com/javase/6/docs/api/java/io/RandomAccessFile.html> <http://java.sun.com/javase/6/docs/api/java/nio/channels/FileChannel.html> <http://java.sun.com/javase/6/docs/api/java/nio/ByteBuffer.html> <http://www.developer.com/java/article.php/1473151> I have no more, I'm sorry. After you read the links above you will know as much of the subject as I do, probably much more! Good luck. JH > amit3...@gmail.com wrote: > [quoted text clipped - 51 lines] > Good luck. > JH Hi, Can you tell me one thing, I had read all these sites but my parser is unable to read properly all records in file. I need to read this file from beginning or from end. i.e oldest record need to be fetched first or newest... Thanks in Advance. Amit > Hi, First please note that I am no expert, all I know of the subject is what I've read in the links provided. > Can you tell me one thing, I had read all these sites but my parser is > unable to read properly all records in file. You may have a reader that functions perfectly according to the specifications given in the links to Windows Event Log Format, but according to the Grimes link there are several "gotchas" involved, probably more now then when that article was written. > I need to read this file from beginning or from end. i.e oldest record > need to be fetched first or newest... According to the specification,(excerpted below) there are many ways you could do it. But it looks like a sequential search starting with the oldest record would be the easiest. ELF_LOGFILE_HEADER StartOffset The offset to the oldest record in the event log. EndOffset The offset to the ELF_EOF_RECORD in the event log. CurrentRecordNumber The number of the next record that will be added to the event log. OldestRecordNumber The number of the oldest record in the event log. For an empty file, the oldest record number is set to 0. Length The size of this event record, in bytes. Note that this value is stored at both ends of the entry to ease moving forward or backward through the log. The length includes any pad bytes inserted at the end of the record for DWORD alignment. RecordNumber The number of the record. This value can be used with the EVENTLOG_SEEK_READ flag in the ReadEventLog function to begin reading at a specified record. For more information, see Event Log Records. ************************************************ EVENTLOGRECORD Length The size of this event record, in bytes. Note that this value is stored at both ends of the entry to ease moving forward or backward through the log. The length includes any pad bytes inserted at the end of the record for DWORD alignment. RecordNumber The number of the record. This value can be used with the EVENTLOG_SEEK_READ flag in the ReadEventLog function to begin reading at a specified record. For more information, see Event Log Records. ************************************************* ELF_EOF_RECORD BeginRecord The offset to the oldest record. If the event log is empty, this is set to the start of this structure. EndRecord The offset to the start of this structure. CurrentRecordNumber The record number of the next event that will be written to the event log. OldestRecordNumber The record number of the oldest record in the event log. The record number will be 0 if the event log is empty. > amit3...@gmail.com wrote: > [quoted text clipped - 87 lines] > The record number of the oldest record in the event log. > The record number will be 0 if the event log is empty. Hi, Now I am able to get all values, but when file is live then i am not able to get values. As it contains half record in last and half after file header. Thanks and Regards, Amit amit wrote: > Hi, > > Now I am able to get all values, but when file is live then i am not > able to get values. > > As it contains half record in last and half after file header. Hi Amit Glad to hear that you're making progress. It sounds like you're comfortable now following pointers through the file byte stream. Unfortunatly I'm not able to help with this latest stumbling block. My knowledge of the subject is exhausted before this. Although I will say that I seem to recall reading that there is no guarantee as to where in the stream a new record will be placed, only that it will contain pointers to the previous and next records. Of course with my limited knowledge of the subject, anything I say should be suspected of being incorrect. All I can do from this point is to reiterate a pointer to the source. <http://msdn2.microsoft.com/en-us/library/aa964766.aspx> Best regards. JH Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.