Skip to content

Commit

Permalink
add utc timestamp output to fix tests
Browse files Browse the repository at this point in the history
  • Loading branch information
m-g-k committed Oct 15, 2023
1 parent e9a3cea commit f75d0a6
Show file tree
Hide file tree
Showing 13 changed files with 3,384 additions and 3,175 deletions.
4 changes: 2 additions & 2 deletions .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@
//"args": ["-i", "717916", "-v"],
//"args": ["-p", "*", "-l", "${workspaceFolder}\\test\\EventLogMonitorTests\\SampleEventLogs_LocaleMetaData\\ACE-11-Log.evtx", "-c", "De-DE"],
//"args": ["-p", "*", "-fi", "Listening", "-l", "${workspaceFolder}\\test\\EventLogMonitorTests\\SampleEventLogs_Dlls\\ACE-11-Log.evtx"],
//"args": ["-l", "${workspaceFolder}\\test\\EventLogMonitorTests\\SampleEventLogsMisc_Dlls\\misc-LCID-65535-1036-1031-1030-19-1.evtx", "-c", "10"],
"args": ["-s", "EventLogMonitorTestLogSource", "-p", "6"],
"args": ["-l", "${workspaceFolder}\\test\\EventLogMonitorTests\\SampleEventLogsMisc_Dlls\\misc-LCID-65535-1036-1031-1030-19-0.evtx", "-tf", "-utc"],
// "args": ["-s", "EventLogMonitorTestLogSource", "-p", "6"],
//"args": ["-l", "Visual Studio", "-b2", "-i", "0"],
//"args": ["-p", "*", "-l", "${workspaceFolder}\\test\\EventLogMonitorTests\\SampleEventLogs_LocaleMetaData\\Security-Log.evtx", "-fe"],
// "args":["-p", "*", "-3", "-l", "Application", "-fi", "Windows Firewall did not apply the following rule", "-c", "En-US"],
Expand Down
77 changes: 70 additions & 7 deletions src/EventLogMonitor/Program.cs
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ limitations under the License.
using System.Reflection;
using System.Diagnostics.CodeAnalysis;
using System.Text;
using System.Xml;

namespace EventLogMonitor;

Expand Down Expand Up @@ -63,6 +64,7 @@ private bool ParseArguments(SimpleArgumentProcessor myArgs)
myArgs.SetOptionalBooleanArgument("-b2");
myArgs.SetOptionalBooleanArgument("-nt");
myArgs.SetOptionalBooleanArgument("-tf");
myArgs.SetOptionalBooleanArgument("-utc");
myArgs.SetOptionalBooleanArgument("-d");
myArgs.SetOptionalFlaggedArgument("-i");
myArgs.SetOptionalFlaggedArgument("-s");
Expand Down Expand Up @@ -195,12 +197,16 @@ private bool ParseArguments(SimpleArgumentProcessor myArgs)
iTailEventLog = false;
}

bool tsFirst = myArgs.GetBooleanArgument("-tf");
if (tsFirst)
if (myArgs.GetBooleanArgument("-tf"))
{
iTimestampFirst = true;
}

if (myArgs.GetBooleanArgument("-utc"))
{
iTimestampInUTC = true;
}

iDisplayLogs = myArgs.GetBooleanArgument("-d");

string filter = myArgs.GetFlaggedArgument("-fi"); // filter include
Expand Down Expand Up @@ -352,7 +358,7 @@ private bool ParseArguments(SimpleArgumentProcessor myArgs)
// Console.WriteLine("ERROR: GLE = {0}", Marshal.GetLastWin32Error());
cultureName.Append("Unknown");
}

iChosenCultureName = cultureName.ToString();
iChosenCultureLCID = defaultCultureAsLCID;
}
Expand Down Expand Up @@ -1028,7 +1034,15 @@ private bool DisplayEventLogEntry(EventRecord entry)
if (iTimestampFirst)
{
Console.ForegroundColor = ConsoleColor.White;
Console.Write(entry.TimeCreated + "." + entry.TimeCreated.Value.Millisecond + ": ");
if (iTimestampInUTC)
{
outputTimestampInUTC(entry, true);
}
else
{
Console.Write(entry.TimeCreated + "." + entry.TimeCreated.Value.Millisecond + ": ");
}

Console.ResetColor();
}

Expand All @@ -1054,7 +1068,15 @@ private bool DisplayEventLogEntry(EventRecord entry)
if (!iTimestampFirst)
{
Console.ForegroundColor = ConsoleColor.White;
Console.Write(" [" + entry.TimeCreated + "." + entry.TimeCreated.Value.Millisecond + "]\n");
if (iTimestampInUTC)
{
outputTimestampInUTC(entry, false);
}
else
{
Console.Write(" [" + entry.TimeCreated + "." + entry.TimeCreated.Value.Millisecond + "]\n");
}

Console.ResetColor();
}
else
Expand Down Expand Up @@ -1289,6 +1311,7 @@ public void MonitorEventLog()
private string iEntryEventIdAndLogLevelQuery = null; // query must be null to represent no query by default
private bool iCultureSet = false;
private bool iTimestampFirst = false;
private bool iTimestampInUTC = false;
private uint iOriginalIndex = 0;
private uint iRecordIndexMin = 0;
private uint iRecordIndexMax = 0;
Expand All @@ -1307,12 +1330,12 @@ private static void DisplayHelp()
Console.WriteLine("EventLogMonitor : Version {0} : https://github.com/m-g-k/EventLogMonitor", GetProductVersion());
Console.WriteLine("Usage:");
Console.WriteLine(" Usage 1 : EventLogMonitor [-p <count>] [-1|-2|-3] [-s <src>] [-nt] [-v]");
Console.WriteLine(" [-b1] [-b2] [-l <log>] [-c <culture>] [-tf]");
Console.WriteLine(" [-b1] [-b2] [-l <log>] [-c <culture>] [-tf] [-utc]");
Console.WriteLine(" [-fi <filt>] [-fx <filt>] [-fn <IDs>] [-fw|-fe|-fc]");
Console.WriteLine(" Usage 2 : EventLogMonitor -i index [-v] [p <count>] [-c <culture>]");
Console.WriteLine(" [-b1] [-b2] [-fi <filt>] [-fx <filt>] [-fn <IDs>]");
Console.WriteLine(" [-fw | -fe | -fc]");
Console.WriteLine(" [-1|-2|-3] [-l <log>] [-tf]");
Console.WriteLine(" [-1|-2|-3] [-l <log>] [-tf] [-utc]");
Console.WriteLine(" Usage 3 : EventLogMonitor -d [-v] [-l <log>]");
Console.WriteLine("Examples:");
Console.WriteLine(" EventLogMonitor -p * -s *");
Expand Down Expand Up @@ -1361,6 +1384,7 @@ private static void DisplayHelp()
Console.WriteLine(" -fn Specify -fn <id_filter> to only show entries with the specified IDs.");
Console.WriteLine(" The ID filter supports included, excluded and ranges of event IDs. For");
Console.WriteLine(" details see: https://github.com/m-g-k/EventLogMonitor#filter-on-event-id");
Console.WriteLine(" -utc Display the timestamp as UTC.");
Console.WriteLine(" -version - displays the version of this tool.");
Console.WriteLine(" -? or -help - displays this help.");
Console.WriteLine("Notes:");
Expand Down Expand Up @@ -1496,6 +1520,45 @@ public static bool LogIsAFile(string logName)
return !string.IsNullOrEmpty(logName) && (logName.Contains(':') || logName.Contains('\\') || logName.Contains('.'));
}

private static void outputTimestampInUTC(EventRecord entry, bool first)
{
var entryAsXml = entry.ToXml();

// quick hack to grab the timestamp out of the XML
var timeSearch = "<TimeCreated SystemTime='";
int startPos = entryAsXml.IndexOf(timeSearch);
if (startPos > 0)
{
int endPos = entryAsXml.IndexOf("'/>", startPos);
if (endPos > 0)
{
var begin = startPos + timeSearch.Length;
var length = endPos - begin;
var rawTimeStamp = entryAsXml.Substring(begin, length);
var dt = XmlConvert.ToDateTime(rawTimeStamp, XmlDateTimeSerializationMode.Utc);
if (first)
{
Console.Write(dt + "." + dt.Millisecond + ": ");
}
else
{
Console.Write(" [" + dt + "." + dt.Millisecond + "]\n");
}
return;
}
}

// fall back if the xml does not find a match
if (first)
{
Console.Write(entry.TimeCreated + "." + entry.TimeCreated.Value.Millisecond + ": ");
}
else
{
Console.Write(" [" + entry.TimeCreated + "." + entry.TimeCreated.Value.Millisecond + "]\n");
}
}

private static bool LogNameMatch(string logName, string[] logsToMatch, bool matchAll)
{
if (matchAll)
Expand Down
Loading

0 comments on commit f75d0a6

Please sign in to comment.