diff -uNrp trunk.orig/src/zabbix_agent/eventlog.c trunk/src/zabbix_agent/eventlog.c --- trunk.orig/src/zabbix_agent/eventlog.c 2010-02-14 21:11:20.000000000 +0900 +++ trunk/src/zabbix_agent/eventlog.c 2010-02-15 01:45:04.000000000 +0900 @@ -22,6 +22,7 @@ #include "log.h" #include "eventlog.h" +#include "winevt.h" #define MAX_INSERT_STRS 100 #define MAX_MSG_LENGTH 1024 @@ -82,6 +83,167 @@ static long zbx_close_eventlog(HANDLE ev return SUCCEED; } +static long zbx_get_eventlog_message_xpath( + LPCTSTR wsource, + long which, + char **out_source, + char **out_message, + unsigned short *out_severity, + unsigned long *out_timestamp) +{ + const char *__function_name = "zbx_get_eventlog_message_xpath"; + long ret = FAIL; + LPSTR tmp_str = NULL; + LPWSTR tmp_wstr = NULL; + LPWSTR event_query = NULL; // L"Event/System[EventRecordID=WHICH]" + unsigned long status = ERROR_SUCCESS; + PEVT_VARIANT eventlog_array = NULL; + HANDLE eventlog_handle = NULL; + HANDLE eventlog_each_handle = NULL; + HANDLE eventlog_context_handle = NULL; + HANDLE eventlog_providermetadata_handle = NULL; + LPWSTR query_array[] = { L"/Event/System/Provider/@Name", + L"/Event/System/EventRecordID", + L"/Event/System/Level", + L"/Event/System/TimeCreated/@SystemTime"}; + DWORD array_count = 4; + DWORD dwReturned = 0, dwValuesCount = 0, dwBufferSize = 0; + const ULONGLONG sec_1970 = 116444736000000000; + + assert(out_source); + assert(out_message); + assert(out_severity); + assert(out_timestamp); + + zabbix_log(LOG_LEVEL_DEBUG, "In %s() which:%ld", __function_name, which); + + *out_source = NULL; + *out_message = NULL; + *out_severity = 0; + *out_timestamp = 0; + + if( !wsource || !*wsource ) + { + zabbix_log(LOG_LEVEL_WARNING, "Can't open eventlog with empty name"); + goto finish; + } + + tmp_str = zbx_dsprintf(NULL, "Event/System[EventRecordID=%ld]", which); + event_query = zbx_utf8_to_unicode(tmp_str); + zbx_free(tmp_str); + + eventlog_handle = EvtQuery(NULL, wsource, event_query, EvtQueryChannelPath); + + if (NULL == eventlog_handle) + { + status = GetLastError(); + + if (ERROR_EVT_CHANNEL_NOT_FOUND == status) + { + zabbix_log(LOG_LEVEL_WARNING, "Missed eventlog"); + } + else + { + zabbix_log(LOG_LEVEL_WARNING, "EvtQuery failed"); + } + goto finish; + } + + eventlog_context_handle = EvtCreateRenderContext(array_count, (LPCWSTR*)query_array, EvtRenderContextValues); + if (NULL == eventlog_context_handle) { + zabbix_log(LOG_LEVEL_WARNING, "EvtCreateRenderContext failed\n"); + goto finish; + } + + if (!EvtNext(eventlog_handle, 1, &eventlog_each_handle, INFINITE, 0, &dwReturned)) + { + zabbix_log(LOG_LEVEL_WARNING, "First EvtNext failed with %lu\n", status); + goto finish; + } + + if (!EvtRender(eventlog_context_handle, eventlog_each_handle, EvtRenderEventValues, dwBufferSize, eventlog_array, &dwReturned, &dwValuesCount)) + { + if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError())) + { + dwBufferSize = dwReturned; + if((eventlog_array = (PEVT_VARIANT)zbx_malloc(eventlog_array, dwBufferSize)) == NULL){ + zabbix_log(LOG_LEVEL_WARNING, "EvtRender malloc failed\n"); + goto finish; + } + if (!EvtRender(eventlog_context_handle, eventlog_each_handle, EvtRenderEventValues, dwBufferSize, eventlog_array, &dwReturned, &dwValuesCount)) { + zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed\n"); + goto finish; + } + } + + if (ERROR_SUCCESS != (status = GetLastError())) + { + zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed with %d\n", GetLastError()); + goto finish; + } + } + + *out_source = zbx_unicode_to_utf8(eventlog_array[0].StringVal); + + eventlog_providermetadata_handle = EvtOpenPublisherMetadata(NULL, (eventlog_array[0].StringVal), NULL, 0, 0); + if (NULL == eventlog_providermetadata_handle) + { + zabbix_log(LOG_LEVEL_WARNING, "EvtOpenPublisherMetadata failed with %d\n", GetLastError()); + goto finish; + } + + dwBufferSize = 0; + dwReturned = 0; + + if (!EvtFormatMessage(eventlog_providermetadata_handle, eventlog_each_handle, 0, 0, NULL, EvtFormatMessageEvent, dwBufferSize, tmp_wstr, &dwReturned)) + { + if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError())) + { + dwBufferSize = dwReturned; + if((tmp_wstr = (LPWSTR)zbx_malloc(tmp_wstr, dwBufferSize * sizeof(WCHAR))) == NULL){ + zabbix_log(LOG_LEVEL_WARNING, "EvtFormatMessage malloc failed\n"); + goto finish; + } + if (!EvtFormatMessage(eventlog_providermetadata_handle, eventlog_each_handle, 0, 0, NULL, EvtFormatMessageEvent, dwBufferSize, tmp_wstr, &dwReturned)) { + zabbix_log(LOG_LEVEL_WARNING, "EvtFormatMessage failed\n"); + goto finish; + } + } + + if (ERROR_SUCCESS != (status = GetLastError())) + { + zabbix_log(LOG_LEVEL_WARNING, "EvtFormatMessage failed with %d\n", GetLastError()); + goto finish; + } + } + + *out_message= zbx_unicode_to_utf8(tmp_wstr); + zbx_free(tmp_wstr); + *out_severity = eventlog_array[2].ByteVal; + *out_timestamp = (unsigned long)((eventlog_array[3].FileTimeVal - sec_1970)/10000000); + ret = SUCCEED; + + +finish: + zbx_free(tmp_str); + zbx_free(tmp_wstr); + zbx_free(event_query); + zbx_free(eventlog_array); + if(eventlog_each_handle) + EvtClose(eventlog_each_handle); + if(eventlog_context_handle) + EvtClose(eventlog_context_handle); + if(eventlog_handle) + EvtClose(eventlog_handle); + if(eventlog_providermetadata_handle) + EvtClose(eventlog_providermetadata_handle); + if(FAIL == ret){ + zbx_free(*out_source); + zbx_free(*out_message); + } + + return ret; +} /* get Nth error from event log. 1 is the first. */ static int zbx_get_eventlog_message(LPCTSTR wsource, HANDLE eventlog_handle, long which, char **out_source, char **out_message, unsigned short *out_severity, unsigned long *out_timestamp, unsigned long *out_eventid) @@ -201,23 +363,48 @@ retry: if (SUCCEED != err) { - *out_message = zbx_strdcatf(*out_message, "The description for Event ID ( %lu ) in Source ( %s ) cannot be found." - " The local computer may not have the necessary registry information or message DLL files to" - " display messages from a remote computer.", *out_eventid, NULL == *out_source ? "" : *out_source); - if (pELR->NumStrings) - *out_message = zbx_strdcatf(*out_message, " The following information is part of the event: "); - for (i = 0; i < pELR->NumStrings && i < MAX_INSERT_STRS; i++) - { - if (i > 0) - *out_message = zbx_strdcatf(*out_message, "; "); - if (aInsertStrs[i]) + OSVERSIONINFO versionInfo; + unsigned short out_severity_tmp = *out_severity; + unsigned long out_timestamp_tmp = *out_timestamp; + long ex_ret = FAIL; + + zbx_free(*out_source); + *out_source = NULL; + *out_message = NULL; + *out_severity = 0; + *out_timestamp = 0; + + versionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); + GetVersionEx(&versionInfo); + if (versionInfo.dwMajorVersion >= 6) /* Windows Vista, Windows 7 or Windows Server 2008 */ + { + ex_ret = zbx_get_eventlog_message_xpath(wsource,which,out_source,out_message,out_severity,out_timestamp); + } + + if (versionInfo.dwMajorVersion < 6 || SUCCEED != ex_ret) /* Before Windows Vista, or zbx_get_eventlog_message_path() failed */ + { + *out_severity = out_severity_tmp; + *out_timestamp = out_timestamp_tmp; + *out_source = zbx_unicode_to_utf8((LPTSTR)(pELR + 1)); /* copy source name */ + + + *out_message = zbx_strdcatf(*out_message, "The description for Event ID ( %lu ) in Source ( %s ) cannot be found." + " The local computer may not have the necessary registry information or message DLL files to" + " display messages from a remote computer.", *out_eventid, NULL == *out_source ? "" : *out_source); + if (pELR->NumStrings) + *out_message = zbx_strdcatf(*out_message, " The following information is part of the event: "); + for (i = 0; i < pELR->NumStrings && i < MAX_INSERT_STRS; i++) { - buf = zbx_unicode_to_utf8(aInsertStrs[i]); - *out_message = zbx_strdcatf(*out_message, "%s", buf); - zbx_free(buf); + if (i > 0) + *out_message = zbx_strdcatf(*out_message, "; "); + if (aInsertStrs[i]) + { + buf = zbx_unicode_to_utf8(aInsertStrs[i]); + *out_message = zbx_strdcatf(*out_message, "%s", buf); + zbx_free(buf); + } } } - } ret = SUCCEED;