[Pkg-libvirt-commits] [libguestfs] 126/165: virt-log: Add support for displaying the Windows Event Log.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Aug 30 08:25:10 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch experimental
in repository libguestfs.
commit 0c38cd4d25eb32187341d3642be51053577d7ceb
Author: Richard W.M. Jones <rjones at redhat.com>
Date: Mon Jun 16 10:14:06 2014 +0100
virt-log: Add support for displaying the Windows Event Log.
Uses the external program python-evtx, and this only works
for Windows >= Vista.
---
README | 3 ++
cat/log.c | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
2 files changed, 93 insertions(+), 10 deletions(-)
diff --git a/README b/README
index 2d8acfd..aa03ee8 100644
--- a/README
+++ b/README
@@ -178,6 +178,9 @@ The full requirements are described below.
+--------------+-------------+---+-----------------------------------------+
| gtk2 | | O | Used by virt-p2v user interface. |
+--------------+-------------+---+-----------------------------------------+
+| python-evtx | | O | Used by virt-log to parse Windows |
+| | | | Event Log files. |
++--------------+-------------+---+-----------------------------------------+
| findlib | | O | For the OCaml bindings. |
+--------------+-------------+---+-----------------------------------------+
| ocaml-gettext| | O | For localizing OCaml virt-* tools. |
diff --git a/cat/log.c b/cat/log.c
index 15a26e8..9460708 100644
--- a/cat/log.c
+++ b/cat/log.c
@@ -22,6 +22,7 @@
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>
+#include <fcntl.h>
#include <unistd.h>
#include <getopt.h>
#include <errno.h>
@@ -30,6 +31,8 @@
#include <libintl.h>
#include <syslog.h>
#include <time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
#include "c-ctype.h"
@@ -52,6 +55,7 @@ int inspector = 1;
static int do_log (void);
static int do_log_journal (void);
static int do_log_text_file (const char *filename);
+static int do_log_windows_evtx (void);
static void __attribute__((noreturn))
usage (int status)
@@ -232,6 +236,17 @@ do_log (void)
if (!type)
return -1;
+ /* Windows needs special handling. */
+ if (STREQ (type, "windows")) {
+ if (guestfs_inspect_get_major_version (g, root) >= 6)
+ return do_log_windows_evtx ();
+
+ fprintf (stderr,
+ _("%s: Windows Event Log for pre-Vista guests is not supported.\n"),
+ program_name);
+ return -1;
+ }
+
/* systemd journal? */
guestfs_push_error_handler (g, NULL, NULL);
journal_files = guestfs_ls (g, JOURNAL_DIR);
@@ -253,16 +268,6 @@ do_log (void)
}
}
- /* Windows is not supported right now, so give an error message. */
- if (STREQ (type, "windows")) {
- fprintf (stderr,
- _("%s: Windows guests are not supported right now.\n"
- "In the meantime, try using the technique described here:\n"
- "http://rwmj.wordpress.com/2011/04/17/decoding-the-windows-event-log-using-guestfish/\n"),
- program_name);
- return -1;
- }
-
/* Otherwise, there are no log files. Hmm, is this right? XXX */
return 0;
}
@@ -396,3 +401,78 @@ do_log_text_file (const char *filename)
{
return guestfs_download (g, filename, "/dev/stdout");
}
+
+/* For Windows >= Vista, if evtxdump.py is installed then we can
+ * use it to dump the System.evtx log.
+ */
+static int
+do_log_windows_evtx (void)
+{
+ CLEANUP_FREE char *filename = NULL;
+ CLEANUP_FREE char *tmpdir = guestfs_get_tmpdir (g);
+ CLEANUP_UNLINK_FREE char *localfile = NULL;
+ CLEANUP_FREE char *cmd = NULL;
+ char dev_fd[64];
+ int fd, status;
+
+ if (system ("evtxdump.py -h >/dev/null 2>&1") != 0) {
+ fprintf (stderr, _("%s: you need to install 'evtxdump.py' (from the python-evtx package)\n"
+ "in order to parse Windows Event Logs. If you cannot install this, then\n"
+ "use virt-copy-out(1) to copy the contents of /Windows/System32/winevt/Logs\n"
+ "from this guest, and examine in a binary file viewer.\n"),
+ program_name);
+ return -1;
+ }
+
+ /* Check if System.evtx exists. XXX Allow the filename to be
+ * configurable, since there are many logs.
+ */
+ filename = guestfs_case_sensitive_path (g, "/Windows/System32/winevt/Logs/System.evtx");
+ if (filename == NULL)
+ return -1;
+
+ /* Note that guestfs_case_sensitive_path does NOT check for existence. */
+ if (guestfs_is_file_opts (g, filename,
+ GUESTFS_IS_FILE_OPTS_FOLLOWSYMLINKS, 1,
+ -1) <= 0) {
+ fprintf (stderr, _("%s: Windows Event Log file (%s) not found\n"),
+ program_name, filename);
+ return -1;
+ }
+
+ /* Download the file to a temporary. Python-evtx wants to mmap
+ * the file so we cannot use a pipe.
+ */
+ if (asprintf (&localfile, "%s/virtlogXXXXXX", tmpdir) == -1) {
+ perror ("asprintf");
+ return -1;
+ }
+ if ((fd = mkstemp (localfile)) == -1) {
+ perror ("mkstemp");
+ return -1;
+ }
+
+ snprintf (dev_fd, sizeof dev_fd, "/dev/fd/%d", fd);
+
+ if (guestfs_download (g, filename, dev_fd) == -1)
+ return -1;
+ close (fd);
+
+ /* This should be safe as long as $TMPDIR is not set to something wild. */
+ if (asprintf (&cmd, "evtxdump.py '%s'", localfile) == -1) {
+ perror ("asprintf");
+ return -1;
+ }
+
+ status = system (cmd);
+ if (status) {
+ char buf[256];
+ fprintf (stderr, "%s: %s\n",
+ program_name,
+ guestfs___exit_status_to_string (status, "evtxdump.py",
+ buf, sizeof buf));
+ return -1;
+ }
+
+ return 0;
+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libguestfs.git
More information about the Pkg-libvirt-commits
mailing list