From issues-return-91672-archive-asf-public=cust-asf.ponee.io@nifi.apache.org Thu Feb 6 22:51:14 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 90AF818064E for ; Thu, 6 Feb 2020 23:51:14 +0100 (CET) Received: (qmail 7057 invoked by uid 500); 6 Feb 2020 22:51:14 -0000 Mailing-List: contact issues-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list issues@nifi.apache.org Received: (qmail 7048 invoked by uid 99); 6 Feb 2020 22:51:13 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Feb 2020 22:51:13 +0000 From: GitBox To: issues@nifi.apache.org Subject: [GitHub] [nifi-minifi-cpp] am-c-p-p commented on a change in pull request #728: MINIFICPP-1147 Implemented. Message-ID: <158102947387.468.7147317765704338211.gitbox@gitbox.apache.org> References: In-Reply-To: Date: Thu, 06 Feb 2020 22:51:13 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit am-c-p-p commented on a change in pull request #728: MINIFICPP-1147 Implemented. URL: https://github.com/apache/nifi-minifi-cpp/pull/728#discussion_r376126552 ########## File path: extensions/windows-event-log/ConsumeWindowsEventLog.cpp ########## @@ -286,6 +301,103 @@ wel::WindowsEventLogHandler ConsumeWindowsEventLog::getEventLogHandler(const std return providers_[name]; } + +// !!! Used a non-documented approach to resolve `%%` in XML via C:\Windows\System32\MsObjs.dll. +// Links which mention this approach: +// https://social.technet.microsoft.com/Forums/Windows/en-US/340632d1-60f0-4cc5-ad6f-f8c841107d0d/translate-value-1833quot-on-impersonationlevel-and-similar-values?forum=winservergen +// https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc +// https://stackoverflow.com/questions/33498244/marshaling-a-message-table-resource +// +// Traverse xml and check each node, if it starts with '%%' and contains only digits, use it as key to lookup value in C:\Windows\System32\MsObjs.dll. +void ConsumeWindowsEventLog::substituteXMLPercentageItems(pugi::xml_document& doc) { + if (!hMsobjsDll_) { + return; + } + + struct TreeWalker: public pugi::xml_tree_walker { + TreeWalker(HMODULE hMsobjsDll, std::unordered_map& xmlPercentageItemsResolutions, std::shared_ptr logger) + : hMsobjsDll_(hMsobjsDll), xmlPercentageItemsResolutions_(xmlPercentageItemsResolutions), logger_(logger) { + } + + bool for_each(pugi::xml_node& node) override { + const std::string& nodeText = node.text().get(); + + auto beginNumberPos = nodeText.find("%%", 0); Review comment: %% might be anywhere in the text, for instance https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 `Properties` in Event XML. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org With regards, Apache Git Services