读取Windows事件有效负载,包括复杂数据 [英] Reading Windows Event Payload Including Complex Data
问题描述
In my previous question here I posted the xml I am trying to serialize. Here is another XML example:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="XXXXXXXXXX" Guid="{YYYYYYYY}" />
<EventID>XYZ</EventID>
<Version>0</Version>
<Level>L</Level>
<Task>A</Task>
<Opcode>0</Opcode>
<Keywords>0x000xyzh</Keywords>
<TimeCreated SystemTime="2012-06-28T15:44:04.997837000Z" />
<EventRecordID>153</EventRecordID>
<Correlation ActivityID="{DDDDDDDDD}" />
<Execution ProcessID="199999" ThreadID="90990" />
<Channel>Microsoft-Windows-ABCDEFG/Admin</Channel>
<Computer>myPC</Computer>
<Security UserID="ABCABC" />
</System>
<EventData>
<Data Name="name1">data1</Data>
<Data Name="name2">data2</Data>
<Data Name="name3">data3</Data>
<ComplexData Name="XYZXYZ">0C004300310022002D004400460053005400450053002200310003004E0053003200230041002D00570041002D00320045004400000047006C002900620061006C0048006900670068005000720069006F007200240074006600120044006100730087000000000000000000000000000000</ComplexData>
</EventData>
<RenderingInfo Culture="en-US">
<Message>some message </Message>
<Level>Information</Level>
<Task>XYZ</Task>
<Opcode>Info</Opcode>
<Channel />
<Provider />
<Keywords>
<Keyword>XYZ</Keyword>
</Keywords>
</RenderingInfo>
</Event>
一个区别是它具有复杂数据,该数据是定义整数值(后继字符串的长度...等)和字符串unicodes的结构.我想出了一种逐字节解码字符串的方法,但我需要一种更简洁的方法来实现.如果EventRecord.ToXml()不是获取事件有效负载(包括复杂数据/结构/数组)的最佳方法,那么最佳方法是什么. msdn上有很多Windows事件相关的类,我不知道该使用哪个类.
One difference is that it has Complex Data which is a struct that defines an array of integer values (lengths of following strings ...etc) and string unicodes. I figured out a way to decode that string by byte by byte but I need a cleaner way to do that. If EventRecord.ToXml() is not the best way to get the event payload including complex data / structs/ arrays then what is the best way to get that. There are a lot of Windows Event related classes on msdn and I do not know which one to use.
谢谢
这是我对ComplexData了解的一些示例:
Here is some sample of what I knwo about ComplexData:
<data
inType="win:UInt16"
name="XYZLength"
/>
<data
inType="win:UnicodeString"
length="XYZLength"
name="XYZ"
/>
这意味着前两个字节(低字节序格式)是后面的unicode字符串的长度,依此类推.对于没有长度的那些,我需要找到一个空终止,它是16位零(2个字节的零).
Which means that the first two bytes (lower endian format) are the length of the following unicode string and so on. And for the ones that have no length, I need to find the null termination which is 16 bits of zeros (2 bytes of zeros).
推荐答案
public class Event
{
[XmlArrayItem(typeof(Data))]
[XmlArrayItem(typeof(ComplexData))]
public object[] EventData;
}
public class Data
{
[XmlAttribute]
public string Name { get; set; }
[XmlText]
public string Value { get; set; }
}
public class ComplexData
{
[XmlAttribute]
public string Name { get; set; }
[XmlText(DataType = "hexBinary")]
public byte[] Encoded { get; set; }
}
请阅读文档:
- Introducing XML Serialization
- Controlling XML Serialization Using Attributes
- Examples of XML Serialization
这篇关于读取Windows事件有效负载,包括复杂数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
