Class: Winevt::EventLog::Subscribe

Inherits:
Object
  • Object
show all
Defined in:
ext/winevt/winevt_subscribe.c,
lib/winevt/subscribe.rb,
ext/winevt/winevt.c,
ext/winevt/winevt_subscribe.c

Overview

Subscribe Windows EventLog channel.

Examples:

require 'winevt'

@subscribe = Winevt::EventLog::Subscribe.new
@subscribe.tail = true
@subscribe.rate_limit = 80
@subscribe.subscribe(
  "Application", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
)
while true do
  @subscribe.each do |eventlog, message, string_inserts|
    puts ({eventlog: eventlog, data: message})
  end
  sleep(0.1)
end

See Also:

Defined Under Namespace

Classes: RemoteHandlerError

Constant Summary collapse

RATE_INFINITE =

For Subscribe#rate_limit=. It represents unspecified rate limit.

Since:

  • 0.6.0

SUBSCRIBE_RATE_INFINITE

Instance Method Summary collapse

Constructor Details

#initializeSubscribe

Initalize Subscribe class.



98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'ext/winevt/winevt_subscribe.c', line 98

static VALUE
rb_winevt_subscribe_initialize(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  winevtSubscribe->rateLimit = SUBSCRIBE_RATE_INFINITE;
  winevtSubscribe->lastTime = 0;
  winevtSubscribe->currentRate = 0;
  winevtSubscribe->renderAsXML = TRUE;
  winevtSubscribe->readExistingEvents = TRUE;
  winevtSubscribe->preserveQualifiers = FALSE;
  winevtSubscribe->localeInfo = &default_locale;

  return Qnil;
}

Instance Method Details

#bookmarkString

This method renders bookmark content which is related to Subscribe class instance.

Returns:

  • (String) 


481
482
483
484
485
486
487
488
489
490
 
# File 'ext/winevt/winevt_subscribe.c', line 481

static VALUE
rb_winevt_subscribe_get_bookmark(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  return render_to_rb_str(winevtSubscribe->bookmark, EvtRenderBookmark);
}

#cancelBoolean

This method cancels channel subscription.

Returns:

  • (Boolean)

Since:

  • 0.9.1



655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
 
# File 'ext/winevt/winevt_subscribe.c', line 655

static VALUE
rb_winevt_subscribe_cancel(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;
  BOOL result = FALSE;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  if (winevtSubscribe->subscription) {
    result = EvtCancel(winevtSubscribe->subscription);
  }

  if (result) {
    return Qtrue;
  } else {
    return Qfalse;
  }
}

#closeObject

This method closes channel handles forcibly.

Since:

  • 0.9.1



680
681
682
683
684
685
686
687
688
689
690
691
 
# File 'ext/winevt/winevt_subscribe.c', line 680

static VALUE
rb_winevt_subscribe_close(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  close_handles(winevtSubscribe);

  return Qnil;
}

#each {|String, String, String| ... } ⇒ Object

Enumerate to obtain Windows EventLog contents.

This method yields the following: (Stringified EventLog, Stringified detail message, Stringified insert values)

Yields:

  • (String, String, String) 


463
464
465
466
467
468
469
470
471
472
473
474
 
# File 'ext/winevt/winevt_subscribe.c', line 463

static VALUE
rb_winevt_subscribe_each(VALUE self)
{
  RETURN_ENUMERATOR(self, 0, 0);

  while (rb_winevt_subscribe_next(self)) {
    rb_ensure(
      rb_winevt_subscribe_each_yield, self, rb_winevt_subscribe_close_handle, self);
  }

  return Qnil;
}

#localeObject

This method obtains specified locale with [String].

Since:

  • 0.8.0



634
635
636
637
638
639
640
641
642
643
644
645
646
647
 
# File 'ext/winevt/winevt_subscribe.c', line 634

static VALUE
rb_winevt_subscribe_get_locale(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  if (winevtSubscribe->localeInfo->langCode) {
    return rb_str_new2(winevtSubscribe->localeInfo->langCode);
  } else {
    return rb_str_new2(default_locale.langCode);
  }
}

#locale=(rb_locale_str) ⇒ Object

This method specifies locale with [String].

Parameters:

  • rb_locale_str (String)

Since:

  • 0.8.0



613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
 
# File 'ext/winevt/winevt_subscribe.c', line 613

static VALUE
rb_winevt_subscribe_set_locale(VALUE self, VALUE rb_locale_str)
{
  struct WinevtSubscribe* winevtSubscribe;
  LocaleInfo* locale_info = &default_locale;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  locale_info = get_locale_info_from_rb_str(rb_locale_str);

  winevtSubscribe->localeInfo = locale_info;

  return Qnil;
}

#nextBoolean

Handle the next values. Since v0.6.0, this method is used for testing only. Please use #each instead.

Returns:

  • (Boolean)

See Also:



331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
 
# File 'ext/winevt/winevt_subscribe.c', line 331

static VALUE
rb_winevt_subscribe_next(VALUE self)
{
  EVT_HANDLE hEvents[SUBSCRIBE_ARRAY_SIZE];
  ULONG count = 0;
  DWORD status = ERROR_SUCCESS;
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  if (is_rate_limit_exceeded(winevtSubscribe)) {
    return Qfalse;
  }

  /* If subscription handle is NULL, it should return false. */
  if (!winevtSubscribe->subscription) {
    return Qfalse;
  }

  if (!EvtNext(winevtSubscribe->subscription,
               SUBSCRIBE_ARRAY_SIZE,
               hEvents,
               INFINITE,
               0,
               &count)) {
    status = GetLastError();
    if (ERROR_CANCELLED == status) {
      return Qfalse;
    }
    if (ERROR_NO_MORE_ITEMS != status) {
      return Qfalse;
    }
  }

  if (status == ERROR_SUCCESS) {
    winevtSubscribe->count = count;
    for (int i = 0; i < count; i++) {
      winevtSubscribe->hEvents[i] = hEvents[i];
      EvtUpdateBookmark(winevtSubscribe->bookmark, winevtSubscribe->hEvents[i]);
    }

    update_to_reflect_rate_limit_state(winevtSubscribe, count);

    return Qtrue;
  }

  return Qfalse;
}

#preserve_qualifiers=(rb_preserve_qualifiers) ⇒ Object

This method specifies whether preserving qualifiers key or not.

Parameters:

  • rb_preserve_qualifiers (Boolean)

Since:

  • 0.7.3



577
578
579
580
581
582
583
584
585
586
587
588
 
# File 'ext/winevt/winevt_subscribe.c', line 577

static VALUE
rb_winevt_subscribe_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  winevtSubscribe->preserveQualifiers = RTEST(rb_preserve_qualifiers);

  return Qnil;
}

#preserve_qualifiers?Integer

This method returns whether preserving qualifiers or not.

Returns:

  • (Integer)

Since:

  • 0.7.3



596
597
598
599
600
601
602
603
604
605
 
# File 'ext/winevt/winevt_subscribe.c', line 596

static VALUE
rb_winevt_subscribe_get_preserve_qualifiers_p(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  return winevtSubscribe->preserveQualifiers ? Qtrue : Qfalse;
}

#rate_limitInteger

This method returns rate limit value.

Returns:

  • (Integer)

Since:

  • 0.6.0



498
499
500
501
502
503
504
505
506
507
 
# File 'ext/winevt/winevt_subscribe.c', line 498

static VALUE
rb_winevt_subscribe_get_rate_limit(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  return INT2NUM(winevtSubscribe->rateLimit);
}

#rate_limit=(rb_rate_limit) ⇒ Object

This method specifies rate limit value.

Parameters:

  • rb_rate_limit (Integer)

    rate_limit value

Since:

  • 0.6.0



515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
 
# File 'ext/winevt/winevt_subscribe.c', line 515

static VALUE
rb_winevt_subscribe_set_rate_limit(VALUE self, VALUE rb_rate_limit)
{
  struct WinevtSubscribe* winevtSubscribe;
  DWORD rateLimit;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  rateLimit = NUM2LONG(rb_rate_limit);

  if ((rateLimit != SUBSCRIBE_RATE_INFINITE) && (rateLimit < 10 || rateLimit % 10)) {
    rb_raise(rb_eArgError, "Specify a multiples of 10 or RATE_INFINITE constant");
  } else {
    winevtSubscribe->rateLimit = rateLimit;
  }

  return Qnil;
}

#read_existing_events=(rb_read_existing_events_p) ⇒ Object

This method specifies whether read existing events or not.

Parameters:

  • rb_read_existing_events_p (Boolean) 


122
123
124
125
126
127
128
129
130
131
132
133
 
# File 'ext/winevt/winevt_subscribe.c', line 122

static VALUE
rb_winevt_subscribe_set_read_existing_events(VALUE self, VALUE rb_read_existing_events_p)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  winevtSubscribe->readExistingEvents = RTEST(rb_read_existing_events_p);

  return Qnil;
}

#read_existing_events?Boolean

This method returns whether read existing events or not.

Returns:

  • (Boolean) 


140
141
142
143
144
145
146
147
148
149
 
# File 'ext/winevt/winevt_subscribe.c', line 140

static VALUE
rb_winevt_subscribe_read_existing_events_p(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  return winevtSubscribe->readExistingEvents ? Qtrue : Qfalse;
}

#render_as_xml=(rb_render_as_xml) ⇒ Object

This method specifies whether render as xml or not.

Parameters:

  • rb_render_as_xml (Boolean)

Since:

  • 0.6.0



558
559
560
561
562
563
564
565
566
567
568
569
 
# File 'ext/winevt/winevt_subscribe.c', line 558

static VALUE
rb_winevt_subscribe_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  winevtSubscribe->renderAsXML = RTEST(rb_render_as_xml);

  return Qnil;
}

#render_as_xml?Boolean

This method returns whether render as xml or not.

Returns:

  • (Boolean)

Since:

  • 0.6.0



541
542
543
544
545
546
547
548
549
550
 
# File 'ext/winevt/winevt_subscribe.c', line 541

static VALUE
rb_winevt_subscribe_render_as_xml_p(VALUE self)
{
  struct WinevtSubscribe* winevtSubscribe;

  TypedData_Get_Struct(
    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);

  return winevtSubscribe->renderAsXML ? Qtrue : Qfalse;
}

#subscribe(path, query, bookmark = nil, session = nil) ⇒ Boolean

Subscribe into a Windows EventLog channel.

Parameters:

  • path (String)

    Subscribe Channel

  • query (String)

    Query string for channel

  • bookmark (Bookmark) (defaults to: nil)

    bookmark Bookmark class instance.

  • session (Session) (defaults to: nil)

    Session information for remoting access.

Returns:

  • (Boolean) 


162
163
164
165
166
167
168
169
170
171
 
# File 'ext/winevt/winevt_subscribe.c', line 162

def subscribe(path, query, bookmark = nil, session = nil)
  if bookmark.is_a?(Winevt::EventLog::Bookmark) &&
     session.is_a?(Winevt::EventLog::Session)
    subscribe_raw(path, query, bookmark.render, session)
  elsif bookmark.is_a?(Winevt::EventLog::Bookmark)
    subscribe_raw(path, query, bookmark.render)
  else
    subscribe_raw(path, query)
  end
end

#subscribe_rawObject 



4
 
# File 'lib/winevt/subscribe.rb', line 4

alias_method :subscribe_raw, :subscribe