Skip to content

Commit

Permalink
Merge pull request #45 from fluent-plugins-nursery/traverse-file-stor…
Browse files Browse the repository at this point in the history
…ed-evtx

query: Implement to traverse feature for stored evtx files
  • Loading branch information
ashie authored May 13, 2024
2 parents 0a9a3f8 + 5d5ce87 commit 9dd9c81
Showing 1 changed file with 46 additions and 4 deletions.
50 changes: 46 additions & 4 deletions ext/winevt/winevt_query.c
Original file line number Diff line number Diff line change
Expand Up @@ -85,15 +85,15 @@ static VALUE
rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
{
PWSTR evtChannel, evtXPath;
VALUE channel, xpath, session;
VALUE channel, xpath, session, rb_flags;
struct WinevtQuery* winevtQuery;
struct WinevtSession* winevtSession;
EVT_HANDLE hRemoteHandle = NULL;
DWORD len;
DWORD len, flags = 0;
VALUE wchannelBuf, wpathBuf;
DWORD err = ERROR_SUCCESS;

rb_scan_args(argc, argv, "21", &channel, &xpath, &session);
rb_scan_args(argc, argv, "22", &channel, &xpath, &session, &rb_flags);
Check_Type(channel, T_STRING);
Check_Type(xpath, T_STRING);

Expand All @@ -111,6 +111,17 @@ rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
}
}

switch (TYPE(rb_flags)) {
case T_FIXNUM:
flags = NUM2LONG(rb_flags);
break;
case T_NIL:
flags = EvtQueryChannelPath | EvtQueryTolerateQueryErrors;
break;
default:
rb_raise(rb_eArgError, "Expected a String, a Symbol, a Fixnum, or a NilClass instance");
}

// channel : To wide char
len =
MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(channel), RSTRING_LEN(channel), NULL, 0);
Expand All @@ -128,7 +139,7 @@ rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

winevtQuery->query = EvtQuery(
hRemoteHandle, evtChannel, evtXPath, EvtQueryChannelPath | EvtQueryTolerateQueryErrors);
hRemoteHandle, evtChannel, evtXPath, flags);
err = GetLastError();
if (err != ERROR_SUCCESS) {
if (err == ERROR_EVT_CHANNEL_NOT_FOUND) {
Expand Down Expand Up @@ -613,6 +624,37 @@ Init_winevt_query(VALUE rb_cEventLog)
* @see https://msdn.microsoft.com/en-us/windows/desktop/aa385575#EvtSeekStrict
*/
rb_define_const(rb_cFlag, "Strict", LONG2NUM(EvtSeekStrict));

/*
* EVT_QUERY_FLAGS enumeration: EvtQueryChannelPath
* @since 0.10.3
* @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
*/
rb_define_const(rb_cFlag, "ChannelPath", LONG2NUM(EvtQueryChannelPath));
/*
* EVT_QUERY_FLAGS enumeration: EvtQueryFilePath
* @since 0.10.3
* @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
*/
rb_define_const(rb_cFlag, "FilePath", LONG2NUM(EvtQueryFilePath));
/*
* EVT_QUERY_FLAGS enumeration: EvtQueryForwardDirection
* @since 0.10.3
* @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
*/
rb_define_const(rb_cFlag, "ForwardDirection", LONG2NUM(EvtQueryForwardDirection));
/*
* EVT_QUERY_FLAGS enumeration: EvtQueryReverseDirection
* @since 0.10.3
* @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
*/
rb_define_const(rb_cFlag, "ReverseDirection", LONG2NUM(EvtQueryReverseDirection));
/*
* EVT_QUERY_FLAGS enumeration: EvtSeekOriginMask
* @since 0.10.3
* @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
*/
rb_define_const(rb_cFlag, "TolerateQueryErrors", LONG2NUM(EvtQueryTolerateQueryErrors));
/* clang-format on */

rb_define_method(rb_cQuery, "initialize", rb_winevt_query_initialize, -1);
Expand Down

0 comments on commit 9dd9c81

Please sign in to comment.