Class: Winevt::EventLog::Query

Inherits:

Object

• Object
• Winevt::EventLog::Query

Defined in:

ext/winevt/winevt_query.c,
lib/winevt/query.rb,
ext/winevt/winevt.c,
ext/winevt/winevt_query.c

Overview

Query Windows EventLog channel.

Examples:

require 'winevt'

@query = Winevt::EventLog::Query.new("Application", "*[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]")

@query.each do |eventlog, message, string_inserts|
  puts ({eventlog: eventlog, data: message})
end

Defined Under Namespace

Modules: Flag Classes: Error

Instance Method Summary

• #each {|String, String, String| ... } ⇒ Object

  Enumerate to obtain Windows EventLog contents.

• #initialize(channel, xpath) ⇒ Query constructor

  Initalize Query class.

• #next ⇒ Boolean

  Handle the next values.

• #offset ⇒ Integer

  This method returns querying event offset.

• #offset=(offset) ⇒ Object

  This method specifies querying event offset.

• #render_as_xml=(rb_render_as_xml) ⇒ Object

  This method specifies whether render as xml or not.

• #render_as_xml? ⇒ Boolean

  This method returns whether render as xml or not.

• #seek(bookmark_or_flag) ⇒ Boolean

  This method specifies seek strategy.

• #timeout ⇒ Integer

  This method returns timeout value.

• #timeout=(timeout) ⇒ Object

  This method specifies timeout value.

Constructor Details

#initialize(channel, xpath) ⇒ Query

Initalize Query class.

Parameters:

• channel (String) —

  Querying EventLog channel.

• xpath (String) —

  Querying XPath.

# File 'ext/winevt/winevt_query.c', line 65

static VALUE
rb_winevt_query_initialize(VALUE self, VALUE channel, VALUE xpath)
{
  PWSTR evtChannel, evtXPath;
  struct WinevtQuery* winevtQuery;
  DWORD len;
  VALUE wchannelBuf, wpathBuf;

  Check_Type(channel, T_STRING);
  Check_Type(xpath, T_STRING);

  // channel : To wide char
  len =
    MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(channel), RSTRING_LEN(channel), NULL, 0);
  evtChannel = ALLOCV_N(WCHAR, wchannelBuf, len + 1);
  MultiByteToWideChar(
    CP_UTF8, 0, RSTRING_PTR(channel), RSTRING_LEN(channel), evtChannel, len);
  evtChannel[len] = L'\0';

  // xpath : To wide char
  len = MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(xpath), RSTRING_LEN(xpath), NULL, 0);
  evtXPath = ALLOCV_N(WCHAR, wpathBuf, len + 1);
  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(xpath), RSTRING_LEN(xpath), evtXPath, len);
  evtXPath[len] = L'\0';

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  winevtQuery->query = EvtQuery(
    NULL, evtChannel, evtXPath, EvtQueryChannelPath | EvtQueryTolerateQueryErrors);
  winevtQuery->offset = 0L;
  winevtQuery->timeout = 0L;
  winevtQuery->renderAsXML = TRUE;

  ALLOCV_END(wchannelBuf);
  ALLOCV_END(wpathBuf);

  return Qnil;
}

Instance Method Details

#each {|String, String, String| ... } ⇒ Object

Enumerate to obtain Windows EventLog contents.

This method yields the following: (Stringified EventLog, Stringified detail message, Stringified insert values)

Yields:

• (String, String, String)

# File 'ext/winevt/winevt_query.c', line 353

static VALUE
rb_winevt_query_each(VALUE self)
{
  RETURN_ENUMERATOR(self, 0, 0);

  while (rb_winevt_query_next(self)) {
    rb_ensure(rb_winevt_query_each_yield, self, rb_winevt_query_close_handle, self);
  }

  return Qnil;
}

#next ⇒ Boolean

Handle the next values. Since v0.6.0, this method is used for testing only. Please use #each instead.

Returns:

• (Boolean)

See Also:

• #each

# File 'ext/winevt/winevt_query.c', line 176

static VALUE
rb_winevt_query_next(VALUE self)
{
  EVT_HANDLE hEvents[QUERY_ARRAY_SIZE];
  ULONG count;
  DWORD status = ERROR_SUCCESS;
  struct WinevtQuery* winevtQuery;

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  if (!EvtNext(winevtQuery->query, QUERY_ARRAY_SIZE, hEvents, INFINITE, 0, &count)) {
    status = GetLastError();
    if (ERROR_NO_MORE_ITEMS != status) {
      return Qfalse;
    }
  }

  if (status == ERROR_SUCCESS) {
    winevtQuery->count = count;
    for (int i = 0; i < count; i++) {
      winevtQuery->hEvents[i] = hEvents[i];
    }

    return Qtrue;
  }

  return Qfalse;
}

#offset ⇒ Integer

This method returns querying event offset.

Returns:

• (Integer)

# File 'ext/winevt/winevt_query.c', line 109

static VALUE
rb_winevt_query_get_offset(VALUE self)
{
  struct WinevtQuery* winevtQuery;

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  return LONG2NUM(winevtQuery->offset);
}

#offset=(offset) ⇒ Object

This method specifies querying event offset.

Parameters:

• offset (Integer) —

  offset value

# File 'ext/winevt/winevt_query.c', line 124

static VALUE
rb_winevt_query_set_offset(VALUE self, VALUE offset)
{
  struct WinevtQuery* winevtQuery;

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  winevtQuery->offset = NUM2LONG(offset);

  return Qnil;
}

#render_as_xml=(rb_render_as_xml) ⇒ Object

This method specifies whether render as xml or not.

Parameters:

• rb_render_as_xml (Boolean)

# File 'ext/winevt/winevt_query.c', line 385

static VALUE
rb_winevt_query_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
{
  struct WinevtQuery* winevtQuery;

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  winevtQuery->renderAsXML = RTEST(rb_render_as_xml);

  return Qnil;
}

#render_as_xml? ⇒ Boolean

This method returns whether render as xml or not.

Returns:

• (Boolean)

# File 'ext/winevt/winevt_query.c', line 370

static VALUE
rb_winevt_query_render_as_xml_p(VALUE self)
{
  struct WinevtQuery* winevtQuery;

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  return winevtQuery->renderAsXML ? Qtrue : Qfalse;
}

#seek(bookmark_or_flag) ⇒ Boolean

This method specifies seek strategy.

Parameters:

• bookmark_or_flag (Bookmark|Query::Flag)

Returns:

• (Boolean)

# File 'ext/winevt/winevt_query.c', line 265

static VALUE
rb_winevt_query_seek(VALUE self, VALUE bookmark_or_flag)
{
  struct WinevtQuery* winevtQuery;
  struct WinevtBookmark* winevtBookmark = NULL;
  DWORD flag = 0;

  switch (TYPE(bookmark_or_flag)) {
    case T_SYMBOL:
      flag = get_evt_seek_flag_from_cstr(RSTRING_PTR(rb_sym2str(bookmark_or_flag)));
      break;
    case T_STRING:
      flag = get_evt_seek_flag_from_cstr(StringValueCStr(bookmark_or_flag));
      break;
    case T_FIXNUM:
      flag = NUM2LONG(bookmark_or_flag);
      break;
    default:
      if (!rb_obj_is_kind_of(bookmark_or_flag, rb_cBookmark))
        rb_raise(rb_eArgError, "Expected a String or a Symbol or a Bookmark instance");

      winevtBookmark = EventBookMark(bookmark_or_flag);
  }

  if (winevtBookmark) {
    TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
    if (EvtSeek(winevtQuery->query,
                winevtQuery->offset,
                winevtBookmark->bookmark,
                winevtQuery->timeout,
                EvtSeekRelativeToBookmark))
      return Qtrue;
  } else {
    TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
    if (EvtSeek(
          winevtQuery->query, winevtQuery->offset, NULL, winevtQuery->timeout, flag)) {
      return Qtrue;
    }
  }

  return Qfalse;
}

#timeout ⇒ Integer

This method returns timeout value.

Returns:

• (Integer)

# File 'ext/winevt/winevt_query.c', line 141

static VALUE
rb_winevt_query_get_timeout(VALUE self)
{
  struct WinevtQuery* winevtQuery;

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  return LONG2NUM(winevtQuery->timeout);
}

#timeout=(timeout) ⇒ Object

This method specifies timeout value.

Parameters:

• timeout (Integer) —

  timeout value

# File 'ext/winevt/winevt_query.c', line 156

static VALUE
rb_winevt_query_set_timeout(VALUE self, VALUE timeout)
{
  struct WinevtQuery* winevtQuery;

  TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);

  winevtQuery->timeout = NUM2LONG(timeout);

  return Qnil;
}