RubyGems - winevt_c - Versions diffs - 0.8.1 → 0.9.0 - Mend

winevt_c 0.8.1 → 0.9.0

Files changed (14) hide show

checksums.yaml +4 -4
data/example/eventlog.rb +5 -1
data/example/tailing.rb +7 -1
data/ext/winevt/winevt.c +3 -0
data/ext/winevt/winevt_c.h +18 -1
data/ext/winevt/winevt_query.c +41 -9
data/ext/winevt/winevt_session.c +425 -0
data/ext/winevt/winevt_subscribe.c +36 -10
data/ext/winevt/winevt_utils.cpp +24 -2
data/lib/winevt.rb +1 -0
data/lib/winevt/session.rb +15 -0
data/lib/winevt/subscribe.rb +5 -2
data/lib/winevt/version.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 29ee7a14f6020b16b7c7dda19d85898f1403721b49074555d71dc43a7a10544f
-  data.tar.gz: 48be391283aa449cc09d1d997ab2915c48276cd21239a75f8013bca60aaafc03
+  metadata.gz: fd29b4664130c80249811fb66df434aaa9219d6d375bcdaa7adfdd3fe72dd25e
+  data.tar.gz: 2a1e3ec7cb528269ebb65f4b1df72d6045f882d865956fb85def8bcb925d6944
 SHA512:
-  metadata.gz: f321563ec5c53f3305c130b1b13dddaa7136e38a46dbfac5c35e20a0d7525f4cc424546c6247fa226a50fd9932df65f849d5d4c354a56106cd9bcfa15908ec7c
-  data.tar.gz: 53af124b46df922069f703e624a07bd31f427c1e715f8cb4227a93e3efd5cd94e83eddeb1be649b0db30312fbb594aae143eb27023ee37c230cbfd2ddbf43133
+  metadata.gz: 0f80978e4268c233d2e309c0e9556f38386b35300381c04f4d84226ce239a85ccb48b20a2c2a3c59c3d0557347e95ff11e0ca11945eaa128ba2c78c67ebc9250
+  data.tar.gz: a8ff4fae4995b41910352186898d54c929a918f86a6a4efe29c0a5c93433d9c95d91be5c9f81fdb52ff5f2307cbb2e2e61790a22fe076b7221ba03c89aed48d5

data/example/eventlog.rb CHANGED

@@ -1,6 +1,10 @@
 require 'winevt'
-@query = Winevt::EventLog::Query.new("Application", "*[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]")
+@session = Winevt::EventLog::Session.new("127.0.0.1") # Or remote box ip
+# @session.domain = "<EXAMPLEGROUP>"
+# @session.username = "<username>"
+# @session.password = "<password>"
+@query = Winevt::EventLog::Query.new("Application", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]", @session)
 @query.render_as_xml = true
 @query.preserve_qualifiers = true

data/example/tailing.rb CHANGED

@@ -1,11 +1,17 @@
 require 'winevt'
+@session = Winevt::EventLog::Session.new("127.0.0.1") # Or remote box ip
+# @session.domain = "<EXAMPLEGROUP>"
+# @session.username = "<username>"
+# @session.password = "<password>"
+@bookmark = Winevt::EventLog::Bookmark.new
 @subscribe = Winevt::EventLog::Subscribe.new
 @subscribe.read_existing_events = true
 @subscribe.preserve_qualifiers = true
 @subscribe.render_as_xml = true
 @subscribe.subscribe(
-  "Security", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
+  "Security", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+  @bookmark, @session
 )
 while true do
   @subscribe.each do |eventlog, message, string_inserts|

data/ext/winevt/winevt.c CHANGED

@@ -5,6 +5,7 @@ VALUE rb_cQuery;
 VALUE rb_cEventLog;
 VALUE rb_cSubscribe;
 VALUE rb_eWinevtQueryError;
+VALUE rb_eRemoteHandlerError;
 static ID id_call;
@@ -16,12 +17,14 @@ Init_winevt(void)
   rb_cQuery = rb_define_class_under(rb_cEventLog, "Query", rb_cObject);
   rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
   rb_eWinevtQueryError = rb_define_class_under(rb_cQuery, "Error", rb_eStandardError);
+  rb_eRemoteHandlerError = rb_define_class_under(rb_cSubscribe, "RemoteHandlerError", rb_eRuntimeError);
   Init_winevt_channel(rb_cEventLog);
   Init_winevt_bookmark(rb_cEventLog);
   Init_winevt_query(rb_cEventLog);
   Init_winevt_subscribe(rb_cEventLog);
   Init_winevt_locale(rb_cEventLog);
+  Init_winevt_session(rb_cEventLog);
   id_call = rb_intern("call");
 }

data/ext/winevt/winevt_c.h CHANGED

@@ -21,6 +21,7 @@
 #define EventQuery(object) ((struct WinevtQuery*)DATA_PTR(object))
 #define EventBookMark(object) ((struct WinevtBookmark*)DATA_PTR(object))
 #define EventChannel(object) ((struct WinevtChannel*)DATA_PTR(object))
+#define EventSession(object) ((struct WinevtSession*)DATA_PTR(object))
 typedef struct {
   LANGID langID;
@@ -38,7 +39,10 @@ VALUE wstr_to_rb_str(UINT cp, const WCHAR* wstr, int clen);
 #endif /* __cplusplus */
 void  raise_system_error(VALUE error, DWORD errorCode);
 VALUE render_to_rb_str(EVT_HANDLE handle, DWORD flags);
-WCHAR* get_description(EVT_HANDLE handle, LANGID langID);
+EVT_HANDLE connect_to_remote(LPWSTR computerName, LPWSTR domain,
+                             LPWSTR username, LPWSTR password,
+                             EVT_RPC_LOGIN_FLAGS flags);
+WCHAR* get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote);
 VALUE get_values(EVT_HANDLE handle);
 VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers);
 LocaleInfo* get_locale_info_from_rb_str(VALUE rb_locale_str);
@@ -53,7 +57,17 @@ extern VALUE rb_cChannel;
 extern VALUE rb_cBookmark;
 extern VALUE rb_cSubscribe;
 extern VALUE rb_eWinevtQueryError;
+extern VALUE rb_eRemoteHandlerError;
 extern VALUE rb_cLocale;
+extern VALUE rb_cSession;
+struct WinevtSession {
+  LPWSTR server;
+  LPWSTR domain;
+  LPWSTR username;
+  LPWSTR password;
+  EVT_RPC_LOGIN_FLAGS flags;
+};
 extern LocaleInfo localeInfoTable[];
 extern LocaleInfo default_locale;
@@ -84,6 +98,7 @@ struct WinevtQuery
   BOOL renderAsXML;
   BOOL preserveQualifiers;
   LocaleInfo *localeInfo;
+  EVT_HANDLE remoteHandle;
 };
 #define SUBSCRIBE_ARRAY_SIZE 10
@@ -104,6 +119,7 @@ struct WinevtSubscribe
   BOOL renderAsXML;
   BOOL preserveQualifiers;
   LocaleInfo* localeInfo;
+  EVT_HANDLE remoteHandle;
 };
 void Init_winevt_query(VALUE rb_cEventLog);
@@ -111,5 +127,6 @@ void Init_winevt_channel(VALUE rb_cEventLog);
 void Init_winevt_bookmark(VALUE rb_cEventLog);
 void Init_winevt_subscribe(VALUE rb_cEventLog);
 void Init_winevt_locale(VALUE rb_cEventLog);
+void Init_winevt_session(VALUE rb_cEventLog);
 #endif // _WINEVT_C_H

data/ext/winevt/winevt_query.c CHANGED

@@ -42,6 +42,10 @@ query_free(void* ptr)
     if (winevtQuery->hEvents[i])
       EvtClose(winevtQuery->hEvents[i]);
   }
+  if (winevtQuery->remoteHandle)
+    EvtClose(winevtQuery->remoteHandle);
   xfree(ptr);
 }
@@ -58,22 +62,44 @@ rb_winevt_query_alloc(VALUE klass)
 /*
  * Initalize Query class.
  *
- * @param channel [String] Querying EventLog channel.
- * @param xpath [String] Querying XPath.
+ * @overload initialize(channel, xpath, session=nil)
+ *   @param channel [String] Querying EventLog channel.
+ *   @param xpath [String] Querying XPath.
+ *   @param session [Session] Session information for remoting access.
  * @return [Query]
  *
  */
 static VALUE
-rb_winevt_query_initialize(VALUE self, VALUE channel, VALUE xpath)
+rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
 {
   PWSTR evtChannel, evtXPath;
+  VALUE channel, xpath, session;
   struct WinevtQuery* winevtQuery;
+  struct WinevtSession* winevtSession;
+  EVT_HANDLE hRemoteHandle = NULL;
   DWORD len;
   VALUE wchannelBuf, wpathBuf;
+  DWORD err;
+  rb_scan_args(argc, argv, "21", &channel, &xpath, &session);
   Check_Type(channel, T_STRING);
   Check_Type(xpath, T_STRING);
+  if (rb_obj_is_kind_of(session, rb_cSession)) {
+    winevtSession = EventSession(session);
+    hRemoteHandle = connect_to_remote(winevtSession->server,
+                                      winevtSession->domain,
+                                      winevtSession->username,
+                                      winevtSession->password,
+                                      winevtSession->flags);
+    err = GetLastError();
+    if (err != ERROR_SUCCESS) {
+      raise_system_error(rb_eRuntimeError, err);
+    }
+  }
   // channel : To wide char
   len =
     MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(channel), RSTRING_LEN(channel), NULL, 0);
@@ -91,12 +117,17 @@ rb_winevt_query_initialize(VALUE self, VALUE channel, VALUE xpath)
   TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
   winevtQuery->query = EvtQuery(
-    NULL, evtChannel, evtXPath, EvtQueryChannelPath | EvtQueryTolerateQueryErrors);
+    hRemoteHandle, evtChannel, evtXPath, EvtQueryChannelPath | EvtQueryTolerateQueryErrors);
+  err = GetLastError();
+  if (err != ERROR_SUCCESS) {
+    raise_system_error(rb_eRuntimeError, err);
+  }
   winevtQuery->offset = 0L;
   winevtQuery->timeout = 0L;
   winevtQuery->renderAsXML = TRUE;
   winevtQuery->preserveQualifiers = FALSE;
   winevtQuery->localeInfo = &default_locale;
+  winevtQuery->remoteHandle = hRemoteHandle;
   ALLOCV_END(wchannelBuf);
   ALLOCV_END(wpathBuf);
@@ -220,12 +251,12 @@ rb_winevt_query_render(VALUE self, EVT_HANDLE event)
 }
 static VALUE
-rb_winevt_query_message(EVT_HANDLE event, LocaleInfo* localeInfo)
+rb_winevt_query_message(EVT_HANDLE event, LocaleInfo* localeInfo, EVT_HANDLE hRemote)
 {
   WCHAR* wResult;
   VALUE utf8str;
-  wResult = get_description(event, localeInfo->langID);
+  wResult = get_description(event, localeInfo->langID, hRemote);
   utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
   free(wResult);
@@ -337,7 +368,8 @@ rb_winevt_query_each_yield(VALUE self)
   for (int i = 0; i < winevtQuery->count; i++) {
     rb_yield_values(3,
                     rb_winevt_query_render(self, winevtQuery->hEvents[i]),
-                    rb_winevt_query_message(winevtQuery->hEvents[i], winevtQuery->localeInfo),
+                    rb_winevt_query_message(winevtQuery->hEvents[i], winevtQuery->localeInfo,
+                                            winevtQuery->remoteHandle),
                     rb_winevt_query_string_inserts(winevtQuery->hEvents[i]));
   }
   return Qnil;
@@ -401,7 +433,7 @@ rb_winevt_query_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
  * This method specifies whether preserving qualifiers key or not.
  *
  * @since 0.7.3
- * @param rb_render_as_xml [Boolean]
+ * @param rb_preserve_qualifiers [Boolean]
  */
 static VALUE
 rb_winevt_query_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)
@@ -522,7 +554,7 @@ Init_winevt_query(VALUE rb_cEventLog)
   rb_define_const(rb_cFlag, "Strict", LONG2NUM(EvtSeekStrict));
   /* clang-format on */
-  rb_define_method(rb_cQuery, "initialize", rb_winevt_query_initialize, 2);
+  rb_define_method(rb_cQuery, "initialize", rb_winevt_query_initialize, -1);
   rb_define_method(rb_cQuery, "next", rb_winevt_query_next, 0);
   rb_define_method(rb_cQuery, "seek", rb_winevt_query_seek, 1);
   rb_define_method(rb_cQuery, "offset", rb_winevt_query_get_offset, 0);

data/ext/winevt/winevt_session.c ADDED

@@ -0,0 +1,425 @@
+#include <winevt_c.h>
+/* clang-format off */
+/*
+ * Document-class: Winevt::EventLog::Session
+ *
+ * Manage Session information for Windows EventLog.
+ *
+ * @example
+ *  require 'winevt'
+ *
+ *  @session = Winevt::EventLog::Session.new("127.0.0.1")
+ *
+ *  @session.domain = "<EXAMPLEGROUP>"
+ *  @session.username = "<username>"
+ *  @session.password = "<password>"
+ *  # Then pass @session veriable into Winevt::EventLog::Query or
+ *  # Winevt::EventLog::Subscribe#subscribe
+ *  @query = Winevt::EventLog::Query.new(
+ *    "Application",
+ *    "*[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+ *    @session
+ *  )
+ *  # some stuff.
+ *
+ *  @subscribe = Winevt::EventLog::Subscribe.new
+ *  @subscribe.subscribe(
+ *    "Application",
+ *    "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]",
+ *    @session
+ *  )
+ *  # And some stuff.
+ * @since v0.9.0
+ */
+/* clang-format on */
+VALUE rb_cSession;
+VALUE rb_cRpcLoginFlag;
+static void session_free(void* ptr);
+static const rb_data_type_t rb_winevt_session_type = { "winevt/session",
+                                                       {
+                                                         0,
+                                                         session_free,
+                                                         0,
+                                                       },
+                                                       NULL,
+                                                       NULL,
+                                                       RUBY_TYPED_FREE_IMMEDIATELY };
+static void
+session_free(void* ptr)
+{
+  struct WinevtSession* winevtSession = (struct WinevtSession*)ptr;
+  if (winevtSession->server)
+    free(winevtSession->server);
+  if (winevtSession->domain)
+    free(winevtSession->domain);
+  if (winevtSession->username)
+    free(winevtSession->username);
+  if (winevtSession->password)
+    free(winevtSession->password);
+  xfree(ptr);
+}
+static VALUE
+rb_winevt_session_alloc(VALUE klass)
+{
+  VALUE obj;
+  struct WinevtSession* winevtSession;
+  obj = TypedData_Make_Struct(
+    klass, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  return obj;
+}
+/*
+ * Initalize Session class.
+ *
+ * @overload initialize(server, domain=nil, username=nil, password=nil, flags=Winevt::EventLog::Session::RpcLoginFlag::AuthDefault)
+ *   @param server [String] Server ip address or fqdn.
+ *   @param domain [String] Domain name.
+ *   @param username [String] username on remote server.
+ *   @param password [String] Remote server user password.
+ *   @param flags [Integer] Flags for authentication method choices.
+ * @return [Session]
+ *
+ */
+static VALUE
+rb_winevt_session_initialize(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(
+      self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  winevtSession->server = NULL;
+  winevtSession->domain = NULL;
+  winevtSession->username = NULL;
+  winevtSession->password = NULL;
+  winevtSession->flags = EvtRpcLoginAuthDefault;
+  return Qnil;
+}
+/*
+ * This method returns server for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_server(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->server) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->server, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies server for remoting access.
+ *
+ * @param rb_server [String] server
+ */
+static VALUE
+rb_winevt_session_set_server(VALUE self, VALUE rb_server)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vserverBuf;
+  PWSTR wServer;
+  Check_Type(rb_server, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_server), RSTRING_LEN(rb_server),
+                        NULL, 0);
+  wServer = ALLOCV_N(WCHAR, vserverBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_server), RSTRING_LEN(rb_server),
+                      wServer, len);
+  winevtSession->server = _wcsdup(wServer);
+  wServer[len] = L'\0';
+  ALLOCV_END(vserverBuf);
+  return Qnil;
+}
+/*
+ * This method returns domain for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_domain(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->domain) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->domain, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies domain for remoting access.
+ *
+ * @param rb_domain [String] domain
+ */
+static VALUE
+rb_winevt_session_set_domain(VALUE self, VALUE rb_domain)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vdomainBuf;
+  PWSTR wDomain;
+  Check_Type(rb_domain, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_domain), RSTRING_LEN(rb_domain),
+                        NULL, 0);
+  wDomain = ALLOCV_N(WCHAR, vdomainBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_domain), RSTRING_LEN(rb_domain),
+                      wDomain, len);
+  wDomain[len] = L'\0';
+  winevtSession->domain = _wcsdup(wDomain);
+  ALLOCV_END(vdomainBuf);
+  return Qnil;
+}
+/*
+ * This method returns username for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_username(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->username) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->username, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies username for remoting access.
+ *
+ * @param rb_username [String] username
+ */
+static VALUE
+rb_winevt_session_set_username(VALUE self, VALUE rb_username)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vusernameBuf;
+  PWSTR wUsername;
+  Check_Type(rb_username, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_username), RSTRING_LEN(rb_username),
+                        NULL, 0);
+  wUsername = ALLOCV_N(WCHAR, vusernameBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_username), RSTRING_LEN(rb_username),
+                      wUsername, len);
+  wUsername[len] = L'\0';
+  winevtSession->username = _wcsdup(wUsername);
+  ALLOCV_END(vusernameBuf);
+  return Qnil;
+}
+/*
+ * This method returns password for remoting access.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_session_get_password(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  if (winevtSession->password) {
+    return wstr_to_rb_str(CP_UTF8, winevtSession->password, -1);
+  } else {
+    return rb_str_new2("(NULL)");
+  }
+}
+/*
+ * This method specifies password for remoting access.
+ *
+ * @param rb_password [String] password
+ */
+static VALUE
+rb_winevt_session_set_password(VALUE self, VALUE rb_password)
+{
+  struct WinevtSession* winevtSession;
+  DWORD len;
+  VALUE vpasswordBuf;
+  PWSTR wPassword;
+  Check_Type(rb_password, T_STRING);
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  len =
+    MultiByteToWideChar(CP_UTF8, 0,
+                        RSTRING_PTR(rb_password), RSTRING_LEN(rb_password),
+                        NULL, 0);
+  wPassword = ALLOCV_N(WCHAR, vpasswordBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0,
+                      RSTRING_PTR(rb_password), RSTRING_LEN(rb_password),
+                      wPassword, len);
+  wPassword[len] = L'\0';
+  winevtSession->password = _wcsdup(wPassword);
+  ALLOCV_END(vpasswordBuf);
+  return Qnil;
+}
+/*
+ * This method returns flags for remoting access.
+ *
+ * @return [Integer]
+ */
+static VALUE
+rb_winevt_session_get_flags(VALUE self)
+{
+  struct WinevtSession* winevtSession;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  return LONG2NUM(winevtSession->flags);
+}
+static DWORD
+get_session_rpc_login_flag_from_cstr(char* flag_str)
+{
+  if (strcmp(flag_str, "default") == 0)
+    return EvtRpcLoginAuthDefault;
+  else if (strcmp(flag_str, "negociate") == 0)
+    return EvtRpcLoginAuthNegotiate;
+  else if (strcmp(flag_str, "kerberos") == 0)
+    return EvtRpcLoginAuthKerberos;
+  else if (strcmp(flag_str, "ntlm") == 0)
+    return EvtRpcLoginAuthNTLM;
+  else
+    rb_raise(rb_eArgError, "Unknown rpc login flag: %s", flag_str);
+  return 0;
+}
+/*
+ * This method specifies flags for remoting access.
+ *
+ * @param rb_flags [Integer] flags
+ */
+static VALUE
+rb_winevt_session_set_flags(VALUE self, VALUE rb_flags)
+{
+  struct WinevtSession* winevtSession;
+  EVT_RPC_LOGIN_FLAGS flags = EvtRpcLoginAuthDefault;
+  TypedData_Get_Struct(self, struct WinevtSession, &rb_winevt_session_type, winevtSession);
+  switch(TYPE(rb_flags)) {
+    case T_SYMBOL:
+      flags = get_session_rpc_login_flag_from_cstr(RSTRING_PTR(rb_sym2str(rb_flags)));
+      break;
+    case T_STRING:
+      flags = get_session_rpc_login_flag_from_cstr(StringValuePtr(rb_flags));
+      break;
+    case T_FIXNUM:
+      flags = NUM2LONG(rb_flags);
+      break;
+    default:
+      rb_raise(rb_eArgError, "Expected Symbol, String or Fixnum in flags");
+  }
+  winevtSession->flags = flags;
+  return Qnil;
+}
+void
+Init_winevt_session(VALUE rb_cEventLog)
+{
+  rb_cSession = rb_define_class_under(rb_cEventLog, "Session", rb_cObject);
+  rb_define_alloc_func(rb_cSession, rb_winevt_session_alloc);
+  rb_cRpcLoginFlag = rb_define_module_under(rb_cSession, "RpcLoginFlag");
+  rb_define_method(rb_cSession, "initialize", rb_winevt_session_initialize, 0);
+  rb_define_method(rb_cSession, "server", rb_winevt_session_get_server, 0);
+  rb_define_method(rb_cSession, "server=", rb_winevt_session_set_server, 1);
+  rb_define_method(rb_cSession, "domain", rb_winevt_session_get_domain, 0);
+  rb_define_method(rb_cSession, "domain=", rb_winevt_session_set_domain, 1);
+  rb_define_method(rb_cSession, "username", rb_winevt_session_get_username, 0);
+  rb_define_method(rb_cSession, "username=", rb_winevt_session_set_username, 1);
+  rb_define_method(rb_cSession, "password", rb_winevt_session_get_password, 0);
+  rb_define_method(rb_cSession, "password=", rb_winevt_session_set_password, 1);
+  rb_define_method(rb_cSession, "flags", rb_winevt_session_get_flags, 0);
+  rb_define_method(rb_cSession, "flags=", rb_winevt_session_set_flags, 1);
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthDefault
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthDefault", LONG2NUM(EvtRpcLoginAuthDefault));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthNegociate
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthNegociate", LONG2NUM(EvtRpcLoginAuthNegotiate));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthKerberos
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthKerberos", LONG2NUM(EvtRpcLoginAuthKerberos));
+  /*
+   * EVT_RPC_LOGIN_FLAGS enumeration: EvtRpcLoginAuthNTLM
+   * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
+   */
+  rb_define_const(rb_cRpcLoginFlag, "AuthNTLM", LONG2NUM(EvtRpcLoginAuthNTLM));
+}

data/ext/winevt/winevt_subscribe.c CHANGED

@@ -57,6 +57,9 @@ subscribe_free(void* ptr)
     }
   }
+  if (winevtSubscribe->remoteHandle)
+    EvtClose(winevtSubscribe->remoteHandle);
   xfree(ptr);
 }
@@ -132,23 +135,27 @@ rb_winevt_subscribe_read_existing_events_p(VALUE self)
 /*
  * Subscribe into a Windows EventLog channel.
  *
- * @overload subscribe(path, query, options={})
+ * @overload subscribe(path, query, bookmark=nil, session=nil)
  *   @param path [String] Subscribe Channel
  *   @param query [String] Query string for channel
- *   @option options [Bookmark] bookmark Bookmark class instance.
+ *   @param bookmark [Bookmark] bookmark Bookmark class instance.
+ *   @param session [Session] Session information for remoting access.
  * @return [Boolean]
  *
  */
 static VALUE
 rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
 {
-  VALUE rb_path, rb_query, rb_bookmark;
+  VALUE rb_path, rb_query, rb_bookmark, rb_session;
   EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
   HANDLE hSignalEvent;
+  EVT_HANDLE hRemoteHandle = NULL;
   DWORD len, flags = 0L;
+  DWORD err = ERROR_SUCCESS;
   VALUE wpathBuf, wqueryBuf, wBookmarkBuf;
   PWSTR path, query, bookmarkXml;
   DWORD status = ERROR_SUCCESS;
+  struct WinevtSession* winevtSession;
   struct WinevtSubscribe* winevtSubscribe;
   hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
@@ -156,7 +163,7 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
   TypedData_Get_Struct(
     self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  rb_scan_args(argc, argv, "21", &rb_path, &rb_query, &rb_bookmark);
+  rb_scan_args(argc, argv, "22", &rb_path, &rb_query, &rb_bookmark, &rb_session);
   Check_Type(rb_path, T_STRING);
   Check_Type(rb_query, T_STRING);
@@ -179,6 +186,19 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
       raise_system_error(rb_eWinevtQueryError, status);
     }
   }
+  if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+    winevtSession = EventSession(rb_session);
+    hRemoteHandle = connect_to_remote(winevtSession->server,
+                                      winevtSession->domain,
+                                      winevtSession->username,
+                                      winevtSession->password,
+                                      winevtSession->flags);
+    err = GetLastError();
+    if (err != ERROR_SUCCESS) {
+      raise_system_error(rb_eRuntimeError, err);
+    }
+  }
   // path : To wide char
   len =
@@ -204,7 +224,7 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
   }
   hSubscription =
-    EvtSubscribe(NULL, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
+    EvtSubscribe(hRemoteHandle, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
   if (!hSubscription) {
     if (hBookmark != NULL) {
       EvtClose(hBookmark);
@@ -213,7 +233,11 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
       CloseHandle(hSignalEvent);
     }
     status = GetLastError();
-    raise_system_error(rb_eWinevtQueryError, status);
+    if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+      rb_raise(rb_eRemoteHandlerError, "Remoting subscription is not working. errCode: %ld\n", status);
+    } else {
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
   }
   if (winevtSubscribe->subscription != NULL) {
@@ -226,6 +250,7 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
   winevtSubscribe->signalEvent = hSignalEvent;
   winevtSubscribe->subscription = hSubscription;
+  winevtSubscribe->remoteHandle = hRemoteHandle;
   if (hBookmark) {
     winevtSubscribe->bookmark = hBookmark;
   } else {
@@ -346,12 +371,12 @@ rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
 }
 static VALUE
-rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo)
+rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo, EVT_HANDLE hRemote)
 {
   WCHAR* wResult;
   VALUE utf8str;
-  wResult = get_description(event, localeInfo->langID);
+  wResult = get_description(event, localeInfo->langID, hRemote);
   utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
   free(wResult);
@@ -394,7 +419,8 @@ rb_winevt_subscribe_each_yield(VALUE self)
   for (int i = 0; i < winevtSubscribe->count; i++) {
     rb_yield_values(3,
                     rb_winevt_subscribe_render(self, winevtSubscribe->hEvents[i]),
-                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo),
+                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo,
+                                                winevtSubscribe->remoteHandle),
                     rb_winevt_subscribe_string_inserts(winevtSubscribe->hEvents[i]));
   }
@@ -523,7 +549,7 @@ rb_winevt_subscribe_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
  * This method specifies whether preserving qualifiers key or not.
  *
  * @since 0.7.3
- * @param rb_render_as_xml [Boolean]
+ * @param rb_preserve_qualifiers [Boolean]
  */
 static VALUE
 rb_winevt_subscribe_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)

data/ext/winevt/winevt_utils.cpp CHANGED

@@ -76,6 +76,28 @@ render_to_rb_str(EVT_HANDLE handle, DWORD flags)
   return result;
 }
+EVT_HANDLE
+connect_to_remote(LPWSTR computerName, LPWSTR domain, LPWSTR username, LPWSTR password,
+                  EVT_RPC_LOGIN_FLAGS flags)
+{
+  EVT_HANDLE hRemote = NULL;
+  EVT_RPC_LOGIN Credentials;
+  RtlZeroMemory(&Credentials, sizeof(EVT_RPC_LOGIN));
+  Credentials.Server = computerName;
+  Credentials.Domain = domain;
+  Credentials.User = username;
+  Credentials.Password = password;
+  Credentials.Flags = flags;
+  hRemote = EvtOpenSession(EvtRpcLogin, &Credentials, 0, 0);
+  SecureZeroMemory(&Credentials, sizeof(EVT_RPC_LOGIN));
+  return hRemote;
+}
 static std::wstring
 guid_to_wstr(const GUID& guid)
 {
@@ -433,7 +455,7 @@ cleanup:
 }
 WCHAR*
-get_description(EVT_HANDLE handle, LANGID langID)
+get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote)
 {
 #define BUFSIZE 4096
   std::vector<WCHAR> buffer(BUFSIZE);
@@ -470,7 +492,7 @@ get_description(EVT_HANDLE handle, LANGID langID)
   // Open publisher metadata
   hMetadata = EvtOpenPublisherMetadata(
-    nullptr,
+    hRemote,
     values[0].StringVal,
     nullptr,
     MAKELCID(langID, SORT_DEFAULT),

data/lib/winevt.rb CHANGED

@@ -7,6 +7,7 @@ require "winevt/bookmark"
 require "winevt/query"
 require "winevt/subscribe"
 require "winevt/version"
+require "winevt/session"
 module Winevt
   # Your code goes here...

data/lib/winevt/session.rb ADDED

@@ -0,0 +1,15 @@
+module Winevt
+  class EventLog
+    class Session
+      alias_method :initialize_raw, :initialize
+      def initialize(server, domain = nil, username = nil, password = nil)
+        initialize_raw
+        self.server = server
+        self.domain = domain if domain.is_a?(String)
+        self.username = username if username.is_a?(String)
+        self.password = password if password.is_a?(String)
+      end
+    end
+  end
+end

data/lib/winevt/subscribe.rb CHANGED

@@ -3,8 +3,11 @@ module Winevt
     class Subscribe
       alias_method :subscribe_raw, :subscribe
-      def subscribe(path, query, bookmark = nil)
-        if bookmark.is_a?(Winevt::EventLog::Bookmark)
+      def subscribe(path, query, bookmark = nil, session = nil)
+        if bookmark.is_a?(Winevt::EventLog::Bookmark) &&
+           session.is_a?(Winevt::EventLog::Session)
+          subscribe_raw(path, query, bookmark.render, session)
+        elsif bookmark.is_a?(Winevt::EventLog::Bookmark)
           subscribe_raw(path, query, bookmark.render)
         else
           subscribe_raw(path, query)

data/lib/winevt/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Winevt
-  VERSION = "0.8.1"
+  VERSION = "0.9.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: winevt_c
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.9.0
 platform: ruby
 authors:
 - Hiroshi Hatake
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-22 00:00:00.000000000 Z
+date: 2020-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -132,11 +132,13 @@ files:
 - ext/winevt/winevt_locale.c
 - ext/winevt/winevt_locale_info.c
 - ext/winevt/winevt_query.c
+- ext/winevt/winevt_session.c
 - ext/winevt/winevt_subscribe.c
 - ext/winevt/winevt_utils.cpp
 - lib/winevt.rb
 - lib/winevt/bookmark.rb
 - lib/winevt/query.rb
+- lib/winevt/session.rb
 - lib/winevt/subscribe.rb
 - lib/winevt/version.rb
 - winevt_c.gemspec