search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.38k stars 4.75k forks source link

Support System.Diagnostics.Eventing on Linux/Mac #23948

Closed huangsam closed 4 years ago

huangsam commented 7 years ago

Port System.Diagnostics.Eventing to Linux & Mac -- for Windows Event Log parsing purposes. I created a SO post here documenting the issue I currently have with dotnet and mono.

danmoseley commented 7 years ago

@brianrob could you please advise about this.

brianrob commented 7 years ago

@huangsam, I don't expect that we'll port System.Diagnostics.Eventing to Linux and OSX because it is a wrapper around the Windows Event Log. Thus, it won't really do anything without the Windows functionality underneath it.

That said, can you tell us what you're trying to do? Perhaps there are other solutions that we can recommend to use in its place. There are other logging / tracing systems that we do support.

huangsam commented 7 years ago

I'm trying to query for Critical, Warning and Error logs using EventLogQuery and track metadata about the log lines in a Tab-delimited format (i.e. .tsv). Here's the portion of the code that may be of interest to you:

// Query for the following levels: Critical, Warning, Error
string query = "*[System/Level=1 or System/Level=2 or System/Level=3]";
EventLogQuery eventsQuery = new EventLogQuery(inFile, PathType.FilePath, query);
using (EventLogReader reader = new EventLogReader(eventsQuery))
{
    using (StreamWriter file = new StreamWriter(outFile, false))
    {
        // Write header
        string[] headerColumns = {
            "TimeCreated",
            "MachineName",
            "LevelDisplayName",
            "FormatDescription"
        };
        file.WriteLine(String.Join(outSeperator, headerColumns));

        // Write data
        EventRecord record;
        while ((record = reader.ReadEvent()) != null)
        {
            using (record)
            {
                try
                {
                    string[] recordData = {
                        record.TimeCreated.ToString(),
                        record.MachineName,
                        record.LevelDisplayName,
                        Regex.Replace(record.FormatDescription(), @"\t|\n|\r", " ")
                    };
                    file.WriteLine(String.Join(outSeperator, recordData));
                }
                catch (Exception)
                {
                    continue;
                }
            }
        }
    }
}
huangsam commented 7 years ago

I originally tried the evtx_dump.py from python-evtx but couldn't replicate the above logic accurately. Furthermore, it took way too long to process a single file, on the order of minutes - whereas the EventLogQuery knocked out the evtx files that we had in a matter of seconds.

brianrob commented 6 years ago

@huangsam, I'm still not quite sure I understand. Are you trying to process Windows EventLog files on Linux/OSX?

huangsam commented 6 years ago

@brianrob correct. I'm trying to process those log files on Linux/OSX using Eventing

huangsam commented 6 years ago

There's this alternative I found in the meantime: https://pypi.python.org/pypi/libevtx-python/20170122 which satisfies most, if not all of the requirements. It just doesn't process large evtx files as quickly as the code shown above

brianrob commented 6 years ago

@huangsam, thanks for the information. I don't expect that we will port Windows EventLog functionality to Linux and OSX as it is Windows-specific functionality. Thus, I am going to close this issue.