pcacc
/
myvtm


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
							#ifndef _TWINKLE_EVENT_LOG_HELPER_H_
#define _TWINKLE_EVENT_LOG_HELPER_H_

#pragma once

#include <windows.h>
#include <stdio.h>
#include <strsafe.h>
#include <fstream>
#include <sstream>
#include <string>
#include <iomanip>
#include <xlocale>
#include "SimpleString.h"

#define EXT_EVTLOG_NAME ".evtlog"
 
#define MAX_TIMESTAMP_LEN       23 + 1   // yyyy/mm/dd hh:mm:ss.mmm
#define MAX_RECORD_BUFFER_SIZE  0x10000  // 64K

#define APPLICATION_ERROR "Application Error"

#define DURATION_NONE			0x0000
#define DURATION_HOUR_ONE		0x0001
#define DURATION_HOUR_TWELVE	0x0002
#define DURATION_DAY_ONE		0x0003
#define DURATION_DAY_SEVENT		0x0004
#define DURATION_MONTH_ONE		0x0005
#define DURAITON_CUSTOM			0x000F 

//------------------
// DEFINES
//------------------
#define APPLICATION_LOG     "Application"
#define SYSTEM_LOG          "System"
#define SECURITY_LOG        "Security"

#define REG_APPLICATION_KEY "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\"
#define REG_SYSTEM_KEY      "SYSTEM\\CurrentControlSet\\Services\\EventLog\\System\\"
#define REG_SECURITY_KEY    "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security\\"

#define REG_FULLFILL_KEY	"SYSTEM\\CurrentControlSet\\Services\\EventLog\\%s\\%s"
#define EVENT_MESSAGE_FILE	"EventMessageFile"

static CONST LPCTSTR pEventTypeNames[] = {
	"错误", "警告", "信息", "审计成功", "审计失败"
};

static DWORD GetEventTypeName(DWORD EventType)
{
	DWORD index = 0;
	switch (EventType)
	{
	case EVENTLOG_ERROR_TYPE:
		index = 0;
		break;
	case EVENTLOG_WARNING_TYPE:
		index = 1;
		break;
	case EVENTLOG_INFORMATION_TYPE:
		index = 2;
		break;
	case EVENTLOG_AUDIT_SUCCESS:
		index = 3;
		break;
	case EVENTLOG_AUDIT_FAILURE:
		index = 4;
		break;
	}
	return index;
}

typedef struct _tagEVENTLOGFILTERPARAM {
	BOOL	fApplication;
	BOOL	fSecurity;
	BOOL	fSystem;
	BOOL	fCustom;
	CHAR	lpszCustomEventName[MAX_PATH + 1]; //Valid when fCustom is true.
	CHAR	lpszSourceEventName[MAX_PATH + 1];
	DWORD	dwEventId;
	WORD	wEventType;
	// This time is measured in the number of seconds elapsed since
	// 00:00:00 January 1,1970, Universal Coordinated Time.
	DWORD	dwTimeBegin; //The begin time at which the record should be retrived.
	DWORD	dwTimeEnd;	 //The endline time at which the record should be retrived.
}EVENTLOGPARAM, *LPEVENTLOGPARAM;


class EvtLogFile {
public:
	EvtLogFile(const std::string& strFileName, BOOL bCreateIfNoExist) {
		_filestream.open(strFileName, std::fstream::in | std::fstream::out | std::fstream::app);
	}
	~EvtLogFile() {
		if(IsValid())
			_filestream.close();
	}
	BOOL IsValid() const {
		return (_filestream.is_open() && !_filestream.fail());
	}
	void Close() {
		if(IsValid())
			_filestream.close();
	}
	std::size_t WriteEventLogEntry(const std::string& strEntry) {
		if(_filestream) {
			_filestream << strEntry << std::endl;
		}
		return 0;
	}
private:
	std::fstream _filestream;

};

class CEventLog
{
public:
	CEventLog(void);
	CEventLog(LPCTSTR lpSrcName);
	~CEventLog(void);

	bool IsInitialized(void) { return NULL != m_hEventLog; }
	DWORD FilterEventLog(LPCTSTR lpszSourceName, WORD wEventType,
		DWORD dwEventID, DWORD dwStartTime, DWORD dwEndTime);

	BOOL InitializeLogFile(const std::string& strFileName) {
		if(!pOutFile) {
			pOutFile = new EvtLogFile(strFileName, TRUE);
			std::string strTitle;
			strTitle.append("============================================================\r\n");
			strTitle.append(m_szSourceName);
			strTitle.append("\r\n============================================================\r\n");
			pOutFile->WriteEventLogEntry(strTitle);
		}
		return (pOutFile != NULL && pOutFile->IsValid());
	}
	BOOL ClearLogFile() {
		//if(pOutFile && pOutFile->IsValid()) {
		//	Close();
		//	return !(pOutFile->IsValid());
		//}
		if(pOutFile) {
			delete pOutFile;
			pOutFile = NULL;
		}
		return (pOutFile == NULL);
	}
protected:
	HRESULT Initialize(LPCTSTR lpSrcName);
	void GetTimestamp(const DWORD Time, PSYSTEMTIME stTime, CHAR DisplayString[]);
	HMODULE GetMessageResources(LPCTSTR lpszdllPath)
	{
		HMODULE hResources = NULL;
		hResources = LoadLibraryEx(lpszdllPath, NULL, 
			LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE);
		if (NULL == hResources)
		{
			printf("LoadLibrary(%s) failed with %lu.\n", lpszdllPath, GetLastError());
		}
		return hResources;
	}
	LPTSTR GetMessageString(HMODULE hModule, DWORD MessageId, DWORD argc, LPTSTR argv);
	DWORD ApplyParameterStringsToMessage(HMODULE hModule, CONST LPCTSTR pMessage, LPTSTR& pFinalMessage);

private:
	DWORD SeekToLastRecord();
	DWORD GetLastRecordNumber(DWORD* pdwRecordNumber);
	DWORD ReadSingleRecord(PBYTE & pBuffer, DWORD dwRecordNumber, DWORD dwReadFlags);
private:
	HANDLE m_hEventLog;
	CHAR m_szSourceName[MAX_PATH];

	EvtLogFile* pOutFile;
};

#endif //_TWINKLE_EVENT_LOG_HELPER_H_