From cb0708be257359b62176f49be6575dddf43021d4 Mon Sep 17 00:00:00 2001 From: Jeremy Rossi Date: Sun, 18 May 2014 14:39:35 +0000 Subject: [PATCH] bug fix of eventchannel timestamp --- src/logcollector/read_win_event_channel.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/logcollector/read_win_event_channel.c b/src/logcollector/read_win_event_channel.c index 6df7e6fd5..696ee6e8a 100644 --- a/src/logcollector/read_win_event_channel.c +++ b/src/logcollector/read_win_event_channel.c @@ -172,7 +172,12 @@ char *WinEvtTimeToString(ULONGLONG ulongTime) FILETIME fTime, lfTime; ULARGE_INTEGER ulargeTime; struct tm tm_struct; - char result[80] = ""; + char *result; + + if (NULL == (result = malloc(80))) { + merror("%s: Not enough memory, could not process convert Timestanp", ARGV0); + return NULL; + } memset(&tm_struct, 0, sizeof(tm_struct)); @@ -226,6 +231,7 @@ void send_channel_event(EVT_HANDLE evt, os_channel *channel) EVT_HANDLE context = NULL; os_event event; char final_msg[OS_MAXSTR]; + char *timestamp; context = EvtCreateRenderContext(count, properties, EvtRenderContextValues); @@ -248,8 +254,9 @@ void send_channel_event(EVT_HANDLE evt, os_channel *channel) get_username_and_domain(&event); get_messages(&event, evt, properties_values[5].StringVal); + timestamp = WinEvtTimeToString(event.time_created); snprintf(final_msg, OS_MAXSTR, "%s WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s", - WinEvtTimeToString(event.time_created), + timestamp, event.name, event.level && strlen(event.level) ? event.level : "UNKNOWN", event.id, @@ -259,6 +266,8 @@ void send_channel_event(EVT_HANDLE evt, os_channel *channel) event.computer && strlen(event.computer) ? event.computer : "no computer", event.message && strlen(event.message) ? event.message : "no message"); + free(timestamp); + if(SendMSG(logr_queue, final_msg, "WinEvtLog", LOCALFILE_MQ) < 0) { merror(QUEUE_SEND, ARGV0);