RubyGems - winevt_c - Versions diffs - 0.8.1 → 0.9.0 - Mend

winevt_c 0.8.1 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/example/eventlog.rb +5 -1
data/example/tailing.rb +7 -1
data/ext/winevt/winevt.c +3 -0
data/ext/winevt/winevt_c.h +18 -1
data/ext/winevt/winevt_query.c +41 -9
data/ext/winevt/winevt_session.c +425 -0
data/ext/winevt/winevt_subscribe.c +36 -10
data/ext/winevt/winevt_utils.cpp +24 -2
data/lib/winevt.rb +1 -0
data/lib/winevt/session.rb +15 -0
data/lib/winevt/subscribe.rb +5 -2
data/lib/winevt/version.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 29ee7a14f6020b16b7c7dda19d85898f1403721b49074555d71dc43a7a10544f
-  data.tar.gz: 48be391283aa449cc09d1d997ab2915c48276cd21239a75f8013bca60aaafc03
+  metadata.gz: fd29b4664130c80249811fb66df434aaa9219d6d375bcdaa7adfdd3fe72dd25e
+  data.tar.gz: 2a1e3ec7cb528269ebb65f4b1df72d6045f882d865956fb85def8bcb925d6944
 SHA512:
-  metadata.gz: f321563ec5c53f3305c130b1b13dddaa7136e38a46dbfac5c35e20a0d7525f4cc424546c6247fa226a50fd9932df65f849d5d4c354a56106cd9bcfa15908ec7c
-  data.tar.gz: 53af124b46df922069f703e624a07bd31f427c1e715f8cb4227a93e3efd5cd94e83eddeb1be649b0db30312fbb594aae143eb27023ee37c230cbfd2ddbf43133
+  metadata.gz: 0f80978e4268c233d2e309c0e9556f38386b35300381c04f4d84226ce239a85ccb48b20a2c2a3c59c3d0557347e95ff11e0ca11945eaa128ba2c78c67ebc9250
+  data.tar.gz: a8ff4fae4995b41910352186898d54c929a918f86a6a4efe29c0a5c93433d9c95d91be5c9f81fdb52ff5f2307cbb2e2e61790a22fe076b7221ba03c89aed48d5

data/example/eventlog.rb CHANGED

@@ -1,6 +1,10 @@
 require 'winevt'
-@query = Winevt::EventLog::Query.new("Application", "*[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]")
+@session = Winevt::EventLog::Session.new("127.0.0.1") # Or remote box ip
+# @session.domain = "<EXAMPLEGROUP>"
+# @session.username = "<username>"
+# @session.password = "<password>"
+@query = Winevt::EventLog::Query.new("Application", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]", @session)
 @query.render_as_xml = true
 @query.preserve_qualifiers = true

data/example/tailing.rb CHANGED

@@ -1,11 +1,17 @@
 require 'winevt'
+@session = Winevt::EventLog::Session.new("127.0.0.1") # Or remote box ip
+# @session.domain = "<EXAMPLEGROUP>"
+# @session.username = "<username>"
+# @session.password = "<password>"
+@bookmark = Winevt::EventLog::Bookmark.new
 @subscribe = Winevt::EventLog::Subscribe.new
 @subscribe.read_existing_events = true
 @subscribe.preserve_qualifiers = true
 @subscribe.render_as_xml = true
 @subscribe.subscribe(
-  "Security", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
+  "Security", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+  @bookmark, @session
 )
 while true do
   @subscribe.each do |eventlog, message, string_inserts|

data/ext/winevt/winevt.c CHANGED

@@ -5,6 +5,7 @@ VALUE rb_cQuery;
 VALUE rb_cEventLog;
 VALUE rb_cSubscribe;
 VALUE rb_eWinevtQueryError;
+VALUE rb_eRemoteHandlerError;
 static ID id_call;
@@ -16,12 +17,14 @@ Init_winevt(void)
   rb_cQuery = rb_define_class_under(rb_cEventLog, "Query", rb_cObject);
   rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
   rb_eWinevtQueryError = rb_define_class_under(rb_cQuery, "Error", rb_eStandardError);
+  rb_eRemoteHandlerError = rb_define_class_under(rb_cSubscribe, "RemoteHandlerError", rb_eRuntimeError);
   Init_winevt_channel(rb_cEventLog);
   Init_winevt_bookmark(rb_cEventLog);
   Init_winevt_query(rb_cEventLog);
   Init_winevt_subscribe(rb_cEventLog);
   Init_winevt_locale(rb_cEventLog);
+  Init_winevt_session(rb_cEventLog);
   id_call = rb_intern("call");
 }

data/ext/winevt/winevt_c.h CHANGED

@@ -21,6 +21,7 @@
 #define EventQuery(object) ((struct WinevtQuery*)DATA_PTR(object))
 #define EventBookMark(object) ((struct WinevtBookmark*)DATA_PTR(object))
 #define EventChannel(object) ((struct WinevtChannel*)DATA_PTR(object))
+#define EventSession(object) ((struct WinevtSession*)DATA_PTR(object))
 typedef struct {
   LANGID langID;
@@ -38,7 +39,10 @@ VALUE wstr_to_rb_str(UINT cp, const WCHAR* wstr, int clen);
 #endif /* __cplusplus */
 void  raise_system_error(VALUE error, DWORD errorCode);
 VALUE render_to_rb_str(EVT_HANDLE handle, DWORD flags);
-WCHAR* get_description(EVT_HANDLE handle, LANGID langID);
+EVT_HANDLE connect_to_remote(LPWSTR computerName, LPWSTR domain,
+                             LPWSTR username, LPWSTR password,
+                             EVT_RPC_LOGIN_FLAGS flags);
+WCHAR* get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote);
 VALUE get_values(EVT_HANDLE handle);
 VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers);
 LocaleInfo* get_locale_info_from_rb_str(VALUE rb_locale_str);
@@ -53,7 +57,17 @@ extern VALUE rb_cChannel;
 extern VALUE rb_cBookmark;
 extern VALUE rb_cSubscribe;
 extern VALUE rb_eWinevtQueryError;
+extern VALUE rb_eRemoteHandlerError;
 extern VALUE rb_cLocale;
+extern VALUE rb_cSession;
+struct WinevtSession {
+  LPWSTR server;
+  LPWSTR domain;
+  LPWSTR username;
+  LPWSTR password;
+  EVT_RPC_LOGIN_FLAGS flags;
+};
 extern LocaleInfo localeInfoTable[];
 extern LocaleInfo default_locale;
@@ -84,6 +98,7 @@ struct WinevtQuery
   BOOL renderAsXML;
   BOOL preserveQualifiers;
   LocaleInfo *localeInfo;
+  EVT_HANDLE remoteHandle;
 };
 #define SUBSCRIBE_ARRAY_SIZE 10
@@ -104,6 +119,7 @@ struct WinevtSubscribe
   BOOL renderAsXML;
   BOOL preserveQualifiers;
   LocaleInfo* localeInfo;
+  EVT_HANDLE remoteHandle;
 };
 void Init_winevt_query(VALUE rb_cEventLog);
@@ -111,5 +127,6 @@ void Init_winevt_channel(VALUE rb_cEventLog);
 void Init_winevt_bookmark(VALUE rb_cEventLog);
 void Init_winevt_subscribe(VALUE rb_cEventLog);
 void Init_winevt_locale(VALUE rb_cEventLog);
+void Init_winevt_session(VALUE rb_cEventLog);
 #endif // _WINEVT_C_H

data/ext/winevt/winevt_query.c CHANGED

@@ -42,6 +42,10 @@ query_free(void* ptr)
     if (winevtQuery->hEvents[i])
       EvtClose(winevtQuery->hEvents[i]);
   }
+  if (winevtQuery->remoteHandle)
+    EvtClose(winevtQuery->remoteHandle);
   xfree(ptr);
 }
@@ -58,22 +62,44 @@ rb_winevt_query_alloc(VALUE klass)
 /*
  * Initalize Query class.
  *
- * @param channel [String] Querying EventLog channel.
- * @param xpath [String] Querying XPath.
+ * @overload initialize(channel, xpath, session=nil)
+ *   @param channel [String] Querying EventLog channel.
+ *   @param xpath [String] Querying XPath.
+ *   @param session [Session] Session information for remoting access.
  * @return [Query]
  *
  */
 static VALUE
-rb_winevt_query_initialize(VALUE self, VALUE channel, VALUE xpath)
+rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
 {
   PWSTR evtChannel, evtXPath;
+  VALUE channel, xpath, session;
   struct WinevtQuery* winevtQuery;
+  struct WinevtSession* winevtSession;
+  EVT_HANDLE hRemoteHandle = NULL;
   DWORD len;
   VALUE wchannelBuf, wpathBuf;
+  DWORD err;
+  rb_scan_args(argc, argv, "21", &channel, &xpath, &session);
   Check_Type(channel, T_STRING);
   Check_Type(xpath, T_STRING);
+  if (rb_obj_is_kind_of(session, rb_cSession)) {
+    winevtSession = EventSession(session);
+    hRemoteHandle = connect_to_remote(winevtSession->server,
+                                      winevtSession->domain,
+                                      winevtSession->username,
+                                      winevtSession->password,
+                                      winevtSession->flags);
+    err = GetLastError();
+    if (err != ERROR_SUCCESS) {
+      raise_system_error(rb_eRuntimeError, err);
+    }
+  }
   // channel : To wide char
   len =
     MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(channel), RSTRING_LEN(channel), NULL, 0);
@@ -91,12 +117,17 @@ rb_winevt_query_initialize(VALUE self, VALUE channel, VALUE xpath)
   TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
   winevtQuery->query = EvtQuery(
-    NULL, evtChannel, evtXPath, EvtQueryChannelPath | EvtQueryTolerateQueryErrors);
+    hRemoteHandle, evtChannel, evtXPath, EvtQueryChannelPath | EvtQueryTolerateQueryErrors);
+  err = GetLastError();
+  if (err != ERROR_SUCCESS) {
+    raise_system_error(rb_eRuntimeError, err);
+  }
   winevtQuery->offset = 0L;
   winevtQuery->timeout = 0L;
   winevtQuery->renderAsXML = TRUE;
   winevtQuery->preserveQualifiers = FALSE;
   winevtQuery->localeInfo = &default_locale;
+  winevtQuery->remoteHandle = hRemoteHandle;
   ALLOCV_END(wchannelBuf);
   ALLOCV_END(wpathBuf);
@@ -220,12 +251,12 @@ rb_winevt_query_render(VALUE self, EVT_HANDLE event)
 }
 static VALUE
-rb_winevt_query_message(EVT_HANDLE event, LocaleInfo* localeInfo)
+rb_winevt_query_message(EVT_HANDLE event, LocaleInfo* localeInfo, EVT_HANDLE hRemote)
 {
   WCHAR* wResult;
   VALUE utf8str;
-  wResult = get_description(event, localeInfo->langID);
+  wResult = get_description(event, localeInfo->langID, hRemote);
   utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
   free(wResult);
@@ -337,7 +368,8 @@ rb_winevt_query_each_yield(VALUE self)
   for (int i = 0; i < winevtQuery->count; i++) {
     rb_yield_values(3,
                     rb_winevt_query_render(self, winevtQuery->hEvents[i]),
-                    rb_winevt_query_message(winevtQuery->hEvents[i], winevtQuery->localeInfo),
+                    rb_winevt_query_message(winevtQuery->hEvents[i], winevtQuery->localeInfo,
+                                            winevtQuery->remoteHandle),
                     rb_winevt_query_string_inserts(winevtQuery->hEvents[i]));
   }
   return Qnil;
@@ -401,7 +433,7 @@ rb_winevt_query_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
  * This method specifies whether preserving qualifiers key or not.
  *
  * @since 0.7.3
- * @param rb_render_as_xml [Boolean]
+ * @param rb_preserve_qualifiers [Boolean]
  */
 static VALUE
 rb_winevt_query_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)
@@ -522,7 +554,7 @@ Init_winevt_query(VALUE rb_cEventLog)
   rb_define_const(rb_cFlag, "Strict", LONG2NUM(EvtSeekStrict));
   /* clang-format on */
-  rb_define_method(rb_cQuery, "initialize", rb_winevt_query_initialize, 2);
+  rb_define_method(rb_cQuery, "initialize", rb_winevt_query_initialize, -1);
   rb_define_method(rb_cQuery, "next", rb_winevt_query_next, 0);
   rb_define_method(rb_cQuery, "seek", rb_winevt_query_seek, 1);
   rb_define_method(rb_cQuery, "offset", rb_winevt_query_get_offset, 0);

data/ext/winevt/winevt_session.c ADDED

@@ -0,0 +1,425 @@
+#include <winevt_c.h>
+/* clang-format off */
+/*
+ * Document-class: Winevt::EventLog::Session
+ *
+ * Manage Session information for Windows EventLog.
+ *
+ * @example
+ *  require 'winevt'
+ *
+ *  @session = Winevt::EventLog::Session.new("127.0.0.1")
+ *
+ *  @session.domain = "<EXAMPLEGROUP>"
+ *  @session.username = "<username>"
+ *  @session.password = "<password>"
+ *  # Then pass @session veriable into Winevt::EventLog::Query or
+ *  # Winevt::EventLog::Subscribe#subscribe
+ *  @query = Winevt::EventLog::Query.new(
+ *    "Application",
+ *    "*[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+ *    @session
+ *  )
+ *  # some stuff.
+ *
+ *  @subscribe = Winevt::EventLog::Subscribe.new
+ *  @subscribe.subscribe(
+ *    "Application",
+ *    "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+ *    @session
+ *  )
+ *  # And some stuff.
+ * @since v0.9.0
+ */
+/* clang-format on */
+VALUE rb_cSession;
+VALUE rb_cRpcLoginFlag;
+static void session_free(void* ptr);
+static const rb_data_type_t rb_winevt_session_type = { "winevt/session",
+                                                       {
+                                                         0,
+                                                         session_free,
+                                                         0,
+                                                       },
+                                                       NULL,
+                                                       NULL,
+                                                       RUBY_TYPED_FREE_IMMEDIATELY };
+static void
+session_free(void* ptr)
+{
+  struct WinevtSession* winevtSession = (struct WinevtSession*)ptr;
+  if (winevtSession->server)
+    free(winevtSession->server);
+  if (winevtSession->domain)
+    free(winevtSession->domain);
+  if (winevtSession->username)
+    free(winevtSession->username);
+  if (winevtSession->password)
+    free(winevtSession->password);
+  xfree(ptr);
+}
+static VALUE
+rb_winevt_session_alloc(VALUE klass)
+{
+  VALUE obj;
+  struct WinevtSession* winevtSession;
+  obj = TypedData_Make_Struct(
+    klass, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  return obj;
+}
+/*
+ * Initalize Session class.
+ *
+ * @overload initialize(server, domain=nil, username=nil, password=nil, flags=Winevt::EventLog::Session::RpcLoginFlag::AuthDefault)
+ *   @param server [String] Server ip address or fqdn.
+ *   @param domain [String] Domain name.
+ *   @param username [String] username on remote server.
+ *   @param password [String] Remote server user password.
+ *   @param flags [Integer] Flags for authentication method choices.
+ * @return [Session]
+ *
+ */
+static VALUE
+rb_winevt_session_initialize(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(
+      self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  winevtSession->server = NULL;
+  winevtSession->domain = NULL;
+  winevtSession->username = NULL;
+  winevtSession->password = NULL;
+  winevtSession->flags = EvtRpcLoginAuthDefault;
+  return Qnil;
+}
+/*
+ * This method returns server for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_server(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->server) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->server, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies server for remoting access.
+ *
+ * @param rb_server [String] server
+ */
+static VALUE
+rb_winevt_session_set_server(VALUE self, VALUE rb_server)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vserverBuf;
+  PWSTR wServer;
+  Check_Type(rb_server, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_server), RSTRING_LEN(rb_server),
+                        NULL, 0);
+  wServer = ALLOCV_N(WCHAR, vserverBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_server), RSTRING_LEN(rb_server),
+                      wServer, len);
+  winevtSession->server = _wcsdup(wServer);
+  wServer[len] = L'\0';
+  ALLOCV_END(vserverBuf);
+  return Qnil;
+}
+/*
+ * This method returns domain for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_domain(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->domain) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->domain, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies domain for remoting access.
+ *
+ * @param rb_domain [String] domain
+ */
+static VALUE
+rb_winevt_session_set_domain(VALUE self, VALUE rb_domain)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vdomainBuf;
+  PWSTR wDomain;
+  Check_Type(rb_domain, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_domain), RSTRING_LEN(rb_domain),
+                        NULL, 0);
+  wDomain = ALLOCV_N(WCHAR, vdomainBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_domain), RSTRING_LEN(rb_domain),
+                      wDomain, len);
+  wDomain[len] = L'\0';
+  winevtSession->domain = _wcsdup(wDomain);
+  ALLOCV_END(vdomainBuf);
+  return Qnil;
+}
+/*
+ * This method returns username for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_username(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->username) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->username, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies username for remoting access.
+ *
+ * @param rb_username [String] username
+ */
+static VALUE
+rb_winevt_session_set_username(VALUE self, VALUE rb_username)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vusernameBuf;
+  PWSTR wUsername;
+  Check_Type(rb_username, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_username), RSTRING_LEN(rb_username),
+                        NULL, 0);
+  wUsername = ALLOCV_N(WCHAR, vusernameBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_username), RSTRING_LEN(rb_username),
+                      wUsername, len);
+  wUsername[len] = L'\0';
+  winevtSession->username = _wcsdup(wUsername);
+  ALLOCV_END(vusernameBuf);
+  return Qnil;
+}
+/*
+ * This method returns password for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_password(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->password) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->password, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies password for remoting access.
+ *
+ * @param rb_password [String] password
+ */
+static VALUE
+rb_winevt_session_set_password(VALUE self, VALUE rb_password)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vpasswordBuf;
+  PWSTR wPassword;
+  Check_Type(rb_password, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_password), RSTRING_LEN(rb_password),
+                        NULL, 0);
+  wPassword = ALLOCV_N(WCHAR, vpasswordBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_password), RSTRING_LEN(rb_password),
+                      wPassword, len);
+  wPassword[len] = L'\0';
+  winevtSession->password = _wcsdup(wPassword);
+  ALLOCV_END(vpasswordBuf);
+  return Qnil;
+}
+/*
+ * This method returns flags for remoting access.
+ *
+ * @return [Integer]
+ */
+static VALUE
+rb_winevt_session_get_flags(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  return LONG2NUM(winevtSession->flags);
+}
+static DWORD
+get_session_rpc_login_flag_from_cstr(char* flag_str)
+{
+  if (strcmp(flag_str, "default") == 0)
+    return EvtRpcLoginAuthDefault;
+  else if (strcmp(flag_str, "negociate") == 0)
+    return EvtRpcLoginAuthNegotiate;
+  else if (strcmp(flag_str, "kerberos") == 0)
+    return EvtRpcLoginAuthKerberos;
+  else if (strcmp(flag_str, "ntlm") == 0)
+    return EvtRpcLoginAuthNTLM;
+  else
+    rb_raise(rb_eArgError, "Unknown rpc login flag: %s", flag_str);
+  return 0;
+}
+/*
+ * This method specifies flags for remoting access.
+ *
+ * @param rb_flags [Integer] flags
+ */
+static VALUE
+rb_winevt_session_set_flags(VALUE self, VALUE rb_flags)
+{
+  struct WinevtSession* winevtSession;
+  EVT_RPC_LOGIN_FLAGS flags = EvtRpcLoginAuthDefault;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  switch(TYPE(rb_flags)) {
+    case T_SYMBOL:
+      flags = get_session_rpc_login_flag_from_cstr(RSTRING_PTR(rb_sym2str(rb_flags)));
+      break;
+    case T_STRING:
+      flags = get_session_rpc_login_flag_from_cstr(StringValuePtr(rb_flags));
+      break;
+    case T_FIXNUM:
+      flags = NUM2LONG(rb_flags);
+      break;
+    default:
+      rb_raise(rb_eArgError, "Expected Symbol, String or Fixnum in flags");
+  }
+  winevtSession->flags = flags;
+  return Qnil;
+}
+void
+Init_winevt_session(VALUE rb_cEventLog)
+{
+  rb_cSession = rb_define_class_under(rb_cEventLog, "Session", rb_cObject);
+  rb_define_alloc_func(rb_cSession, rb_winevt_session_alloc);
+  rb_cRpcLoginFlag = rb_define_module_under(rb_cSession, "RpcLoginFlag");
+  rb_define_method(rb_cSession, "initialize", rb_winevt_session_initialize, 0);
+  rb_define_method(rb_cSession, "server", rb_winevt_session_get_server, 0);
+  rb_define_method(rb_cSession, "server=", rb_winevt_session_set_server, 1);
+  rb_define_method(rb_cSession, "domain", rb_winevt_session_get_domain, 0);
+  rb_define_method(rb_cSession, "domain=", rb_winevt_session_set_domain, 1);
+  rb_define_method(rb_cSession, "username", rb_winevt_session_get_username, 0);
+  rb_define_method(rb_cSession, "username=", rb_winevt_session_set_username, 1);
+  rb_define_method(rb_cSession, "password", rb_winevt_session_get_password, 0);
+  rb_define_method(rb_cSession, "password=", rb_winevt_session_set_password, 1);
+  rb_define_method(rb_cSession, "flags", rb_winevt_session_get_flags, 0);
+  rb_define_method(rb_cSession, "flags=", rb_winevt_session_set_flags, 1);
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthDefault
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthDefault", LONG2NUM(EvtRpcLoginAuthDefault));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthNegociate
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthNegociate", LONG2NUM(EvtRpcLoginAuthNegotiate));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthKerberos
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthKerberos", LONG2NUM(EvtRpcLoginAuthKerberos));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthNTLM
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthNTLM", LONG2NUM(EvtRpcLoginAuthNTLM));
+}

data/ext/winevt/winevt_subscribe.c CHANGED

@@ -57,6 +57,9 @@ subscribe_free(void* ptr)
     }
   }
+  if (winevtSubscribe->remoteHandle)
+    EvtClose(winevtSubscribe->remoteHandle);
   xfree(ptr);
 }
@@ -132,23 +135,27 @@ rb_winevt_subscribe_read_existing_events_p(VALUE self)
 /*
  * Subscribe into a Windows EventLog channel.
  *
- * @overload subscribe(path, query, options={})
+ * @overload subscribe(path, query, bookmark=nil, session=nil)
  *   @param path [String] Subscribe Channel
  *   @param query [String] Query string for channel
- *   @option options [Bookmark] bookmark Bookmark class instance.
+ *   @param bookmark [Bookmark] bookmark Bookmark class instance.
+ *   @param session [Session] Session information for remoting access.
  * @return [Boolean]
  *
  */
 static VALUE
 rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
 {
-  VALUE rb_path, rb_query, rb_bookmark;
+  VALUE rb_path, rb_query, rb_bookmark, rb_session;
   EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
   HANDLE hSignalEvent;
+  EVT_HANDLE hRemoteHandle = NULL;
   DWORD len, flags = 0L;
+  DWORD err = ERROR_SUCCESS;
   VALUE wpathBuf, wqueryBuf, wBookmarkBuf;
   PWSTR path, query, bookmarkXml;
   DWORD status = ERROR_SUCCESS;
+  struct WinevtSession* winevtSession;
   struct WinevtSubscribe* winevtSubscribe;
   hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
@@ -156,7 +163,7 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
   TypedData_Get_Struct(
     self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  rb_scan_args(argc, argv, "21", &rb_path, &rb_query, &rb_bookmark);
+  rb_scan_args(argc, argv, "22", &rb_path, &rb_query, &rb_bookmark, &rb_session);
   Check_Type(rb_path, T_STRING);
   Check_Type(rb_query, T_STRING);
@@ -179,6 +186,19 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
       raise_system_error(rb_eWinevtQueryError, status);
     }
   }
+  if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+    winevtSession = EventSession(rb_session);
+    hRemoteHandle = connect_to_remote(winevtSession->server,
+                                      winevtSession->domain,
+                                      winevtSession->username,
+                                      winevtSession->password,
+                                      winevtSession->flags);
+    err = GetLastError();
+    if (err != ERROR_SUCCESS) {
+      raise_system_error(rb_eRuntimeError, err);
+    }
+  }
   // path : To wide char
   len =
@@ -204,7 +224,7 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
   }
   hSubscription =
-    EvtSubscribe(NULL, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
+    EvtSubscribe(hRemoteHandle, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
   if (!hSubscription) {
     if (hBookmark != NULL) {
       EvtClose(hBookmark);
@@ -213,7 +233,11 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
       CloseHandle(hSignalEvent);
     }
     status = GetLastError();
-    raise_system_error(rb_eWinevtQueryError, status);
+    if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+      rb_raise(rb_eRemoteHandlerError, "Remoting subscription is not working. errCode: %ld\n", status);
+    } else {
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
   }
   if (winevtSubscribe->subscription != NULL) {
@@ -226,6 +250,7 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
   winevtSubscribe->signalEvent = hSignalEvent;
   winevtSubscribe->subscription = hSubscription;
+  winevtSubscribe->remoteHandle = hRemoteHandle;
   if (hBookmark) {
     winevtSubscribe->bookmark = hBookmark;
   } else {
@@ -346,12 +371,12 @@ rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
 }
 static VALUE
-rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo)
+rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo, EVT_HANDLE hRemote)
 {
   WCHAR* wResult;
   VALUE utf8str;
-  wResult = get_description(event, localeInfo->langID);
+  wResult = get_description(event, localeInfo->langID, hRemote);
   utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
   free(wResult);
@@ -394,7 +419,8 @@ rb_winevt_subscribe_each_yield(VALUE self)
   for (int i = 0; i < winevtSubscribe->count; i++) {
     rb_yield_values(3,
                     rb_winevt_subscribe_render(self, winevtSubscribe->hEvents[i]),
-                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo),
+                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo,
+                                                winevtSubscribe->remoteHandle),
                     rb_winevt_subscribe_string_inserts(winevtSubscribe->hEvents[i]));
   }
@@ -523,7 +549,7 @@ rb_winevt_subscribe_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
  * This method specifies whether preserving qualifiers key or not.
  *
  * @since 0.7.3
- * @param rb_render_as_xml [Boolean]
+ * @param rb_preserve_qualifiers [Boolean]
  */
 static VALUE
 rb_winevt_subscribe_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)

data/ext/winevt/winevt_utils.cpp CHANGED

@@ -76,6 +76,28 @@ render_to_rb_str(EVT_HANDLE handle, DWORD flags)
   return result;
 }
+EVT_HANDLE
+connect_to_remote(LPWSTR computerName, LPWSTR domain, LPWSTR username, LPWSTR password,
+                  EVT_RPC_LOGIN_FLAGS flags)
+{
+  EVT_HANDLE hRemote = NULL;
+  EVT_RPC_LOGIN Credentials;
+  RtlZeroMemory(&Credentials, sizeof(EVT_RPC_LOGIN));
+  Credentials.Server = computerName;
+  Credentials.Domain = domain;
+  Credentials.User = username;
+  Credentials.Password = password;
+  Credentials.Flags = flags;
+  hRemote = EvtOpenSession(EvtRpcLogin, &Credentials, 0, 0);
+  SecureZeroMemory(&Credentials, sizeof(EVT_RPC_LOGIN));
+  return hRemote;
+}
 static std::wstring
 guid_to_wstr(const GUID& guid)
 {
@@ -433,7 +455,7 @@ cleanup:
 }
 WCHAR*
-get_description(EVT_HANDLE handle, LANGID langID)
+get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote)
 {
 #define BUFSIZE 4096
   std::vector<WCHAR> buffer(BUFSIZE);
@@ -470,7 +492,7 @@ get_description(EVT_HANDLE handle, LANGID langID)
   // Open publisher metadata
   hMetadata = EvtOpenPublisherMetadata(
-    nullptr,
+    hRemote,
     values[0].StringVal,
     nullptr,
     MAKELCID(langID, SORT_DEFAULT),

data/lib/winevt.rb CHANGED

@@ -7,6 +7,7 @@ require "winevt/bookmark"
 require "winevt/query"
 require "winevt/subscribe"
 require "winevt/version"
+require "winevt/session"
 module Winevt
   # Your code goes here...

data/lib/winevt/session.rb ADDED

@@ -0,0 +1,15 @@
+module Winevt
+  class EventLog
+    class Session
+      alias_method :initialize_raw, :initialize
+      def initialize(server, domain = nil, username = nil, password = nil)
+        initialize_raw
+        self.server = server
+        self.domain = domain if domain.is_a?(String)
+        self.username = username if username.is_a?(String)
+        self.password = password if password.is_a?(String)
+      end
+    end
+  end
+end

data/lib/winevt/subscribe.rb CHANGED

@@ -3,8 +3,11 @@ module Winevt
     class Subscribe
       alias_method :subscribe_raw, :subscribe
-      def subscribe(path, query, bookmark = nil)
-        if bookmark.is_a?(Winevt::EventLog::Bookmark)
+      def subscribe(path, query, bookmark = nil, session = nil)
+        if bookmark.is_a?(Winevt::EventLog::Bookmark) &&
+           session.is_a?(Winevt::EventLog::Session)
+          subscribe_raw(path, query, bookmark.render, session)
+        elsif bookmark.is_a?(Winevt::EventLog::Bookmark)
           subscribe_raw(path, query, bookmark.render)
         else
           subscribe_raw(path, query)

data/lib/winevt/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Winevt
-  VERSION = "0.8.1"
+  VERSION = "0.9.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: winevt_c
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.9.0
 platform: ruby
 authors:
 - Hiroshi Hatake
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-22 00:00:00.000000000 Z
+date: 2020-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -132,11 +132,13 @@ files:
 - ext/winevt/winevt_locale.c
 - ext/winevt/winevt_locale_info.c
 - ext/winevt/winevt_query.c
+- ext/winevt/winevt_session.c
 - ext/winevt/winevt_subscribe.c
 - ext/winevt/winevt_utils.cpp
 - lib/winevt.rb
 - lib/winevt/bookmark.rb
 - lib/winevt/query.rb
+- lib/winevt/session.rb
 - lib/winevt/subscribe.rb
 - lib/winevt/version.rb
 - winevt_c.gemspec