EventLog patche question

> Hi all,
>
>
>
> I seen on the patches directory that there is a new class called eventlog.
> I recompile the project in order to use this class and it seems to work.
>
>
>
> However, now I would like to use it in my test program in order to access
> the eventlog of a remote machine. Does someone have an idea about how to do
> it?! As there is yet no docs available I would appreciate if you  have
> already figure out this problem  to share it J
>
>
>
> Previously I was trying that to access the eventlog pipe like this (without
> success).
>
>
>
>         NtlmPasswordAuthentication auth = new
> NtlmPasswordAuthentication("TESTS;administrator:admin");
>
>
>
>
>
>         SmbNamedPipe pipe = new SmbNamedPipe(
> "smb://10.192.10.10/IPC$/EVENTLOG",
>
>               SmbNamedPipe.PIPE_TYPE_RDWR | SmbNamedPipe.PIPE_TYPE_TRANSACT
> , auth );
>
>         OutputStream out = pipe.getNamedPipeOutputStream();
>
>         InputStream in = pipe.getNamedPipeInputStream();
>
>
>
> What would be the new way accessing the eventlog now with the new classes?

> The question was more related to the eventlog class that has been created in
> the patch directory. Do you have any information about how to use it?
>
> 2009/9/19 Michael B Allen <ioplex@...>
>>
>> On Sat, Sep 19, 2009 at 7:47 AM, Raffael Maio <raffael.maio@...>
>> wrote:
>> > Hi all,
>> >
>> >
>> >
>> > I seen on the patches directory that there is a new class called
>> > eventlog.
>> > I recompile the project in order to use this class and it seems to work.
>> >
>> >
>> >
>> > However, now I would like to use it in my test program in order to
>> > access
>> > the eventlog of a remote machine. Does someone have an idea about how to
>> > do
>> > it?! As there is yet no docs available I would appreciate if you  have
>> > already figure out this problem  to share it J
>> >
>> >
>> >
>> > Previously I was trying that to access the eventlog pipe like this
>> > (without
>> > success).
>> >
>> >
>> >
>> >         NtlmPasswordAuthentication auth = new
>> > NtlmPasswordAuthentication("TESTS;administrator:admin");
>> >
>> >
>> >
>> >
>> >
>> >         SmbNamedPipe pipe = new SmbNamedPipe(
>> > "smb://10.192.10.10/IPC$/EVENTLOG",
>> >
>> >               SmbNamedPipe.PIPE_TYPE_RDWR |
>> > SmbNamedPipe.PIPE_TYPE_TRANSACT
>> > , auth );
>> >
>> >         OutputStream out = pipe.getNamedPipeOutputStream();
>> >
>> >         InputStream in = pipe.getNamedPipeInputStream();
>> >
>> >
>> >
>> > What would be the new way accessing the eventlog now with the new
>> > classes?
>>
>> Get WireShark, capture the transaction and see if it decodes the
>> response. Then you can write some code to pick apart the entries.
>>
>> Mike
>>
>> --
>> Michael B Allen
>> Java Active Directory Integration
>> http://www.ioplex.com/
>
>

> the patch directory. Do you have any information about how to use it?
>
> 2009/9/19 Michael B Allen <ioplex@...>
>>
>> On Sat, Sep 19, 2009 at 7:47 AM, Raffael Maio <raffael.maio@...>
>> wrote:
>> > Hi all,
>> >
>> >
>> >
>> > I seen on the patches directory that there is a new class called
>> > eventlog.
>> > I recompile the project in order to use this class and it seems to

>> > do
>> > it?! As there is yet no docs available I would appreciate if you  have
>> > already figure out this problem  to share it J
>> >
>> >
>> >
>> > Previously I was trying that to access the eventlog pipe like this
>> > (without
>> > success).
>> >
>> >
>> >
>> >         NtlmPasswordAuthentication auth = new
>> > NtlmPasswordAuthentication("TESTS;administrator:admin");
>> >
>> >
>> >
>> >
>> >
>> >         SmbNamedPipe pipe = new SmbNamedPipe(
>> > "smb://10.192.10.10/IPC$/EVENTLOG",
>> >
>> >               SmbNamedPipe.PIPE_TYPE_RDWR |
>> > SmbNamedPipe.PIPE_TYPE_TRANSACT
>> > , auth );
>> >
>> >         OutputStream out = pipe.getNamedPipeOutputStream();
>> >
>> >         InputStream in = pipe.getNamedPipeInputStream();
>> >
>> >
>> >
>> > What would be the new way accessing the eventlog now with the new
>> > classes?
>>
>> Get WireShark, capture the transaction and see if it decodes the
>> response. Then you can write some code to pick apart the entries.
>>
>> Mike
>>
>> --
>> Michael B Allen
>> Java Active Directory Integration
>> http://www.ioplex.com/
>
>

> Do you have an idea about who did the patch and who would be able to provide
> some docs about this new class?
>
> -----Original Message-----
> From: Michael B Allen [mailto:ioplex@...]
> Sent: samedi, 19. septembre 2009 22:48
> To: Raffael Maio
> Cc: jcifs@...
> Subject: Re: [jcifs] EventLog patche question
>
> Oh. No. I have not looked at it since the day I placed it in the
> patches directory.
>
> On Sat, Sep 19, 2009 at 12:39 PM, Raffael Maio <raffael.maio@...>
> wrote:
>> The question was more related to the eventlog class that has been created
> in
>> the patch directory. Do you have any information about how to use it?
>>
>> 2009/9/19 Michael B Allen <ioplex@...>
>>>
>>> On Sat, Sep 19, 2009 at 7:47 AM, Raffael Maio <raffael.maio@...>
>>> wrote:
>>> > Hi all,
>>> >
>>> >
>>> >
>>> > I seen on the patches directory that there is a new class called
>>> > eventlog.
>>> > I recompile the project in order to use this class and it seems to
> work.
>>> >
>>> >
>>> >
>>> > However, now I would like to use it in my test program in order to
>>> > access
>>> > the eventlog of a remote machine. Does someone have an idea about how
> to
>>> > do
>>> > it?! As there is yet no docs available I would appreciate if you  have
>>> > already figure out this problem  to share it J
>>> >
>>> >
>>> >
>>> > Previously I was trying that to access the eventlog pipe like this
>>> > (without
>>> > success).
>>> >
>>> >
>>> >
>>> >         NtlmPasswordAuthentication auth = new
>>> > NtlmPasswordAuthentication("TESTS;administrator:admin");
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >         SmbNamedPipe pipe = new SmbNamedPipe(
>>> > "smb://10.192.10.10/IPC$/EVENTLOG",
>>> >
>>> >               SmbNamedPipe.PIPE_TYPE_RDWR |
>>> > SmbNamedPipe.PIPE_TYPE_TRANSACT
>>> > , auth );
>>> >
>>> >         OutputStream out = pipe.getNamedPipeOutputStream();
>>> >
>>> >         InputStream in = pipe.getNamedPipeInputStream();
>>> >
>>> >
>>> >
>>> > What would be the new way accessing the eventlog now with the new
>>> > classes?
>>>
>>> Get WireShark, capture the transaction and see if it decodes the
>>> response. Then you can write some code to pick apart the entries.
>>>
>>> Mike
>>>
>>> --
>>> Michael B Allen
>>> Java Active Directory Integration
>>> http://www.ioplex.com/
>>
>>
>
>
>
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/
>
>

> some docs about this new class?
>
> -----Original Message-----
> From: Michael B Allen [mailto:ioplex@...]
> Sent: samedi, 19. septembre 2009 22:48
> To: Raffael Maio
> Cc: jcifs@...
> Subject: Re: [jcifs] EventLog patche question
>
> Oh. No. I have not looked at it since the day I placed it in the
> patches directory.
>
> On Sat, Sep 19, 2009 at 12:39 PM, Raffael Maio <raffael.maio@...>
> wrote:
>> The question was more related to the eventlog class that has been created
> in
>> the patch directory. Do you have any information about how to use it?
>>
>> 2009/9/19 Michael B Allen <ioplex@...>
>>>
>>> On Sat, Sep 19, 2009 at 7:47 AM, Raffael Maio <raffael.maio@...>
>>> wrote:
>>> > Hi all,
>>> >
>>> >
>>> >
>>> > I seen on the patches directory that there is a new class called
>>> > eventlog.
>>> > I recompile the project in order to use this class and it seems to
> work.
>>> >
>>> >
>>> >
>>> > However, now I would like to use it in my test program in order to
>>> > access
>>> > the eventlog of a remote machine. Does someone have an idea about how
> to
>>> > do
>>> > it?! As there is yet no docs available I would appreciate if you  have
>>> > already figure out this problem  to share it J
>>> >
>>> >
>>> >
>>> > Previously I was trying that to access the eventlog pipe like this
>>> > (without
>>> > success).
>>> >
>>> >
>>> >
>>> >         NtlmPasswordAuthentication auth = new
>>> > NtlmPasswordAuthentication("TESTS;administrator:admin");
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >         SmbNamedPipe pipe = new SmbNamedPipe(
>>> > "smb://10.192.10.10/IPC$/EVENTLOG",
>>> >
>>> >               SmbNamedPipe.PIPE_TYPE_RDWR |
>>> > SmbNamedPipe.PIPE_TYPE_TRANSACT
>>> > , auth );
>>> >
>>> >         OutputStream out = pipe.getNamedPipeOutputStream();
>>> >
>>> >         InputStream in = pipe.getNamedPipeInputStream();
>>> >
>>> >
>>> >
>>> > What would be the new way accessing the eventlog now with the new
>>> > classes?
>>>
>>> Get WireShark, capture the transaction and see if it decodes the
>>> response. Then you can write some code to pick apart the entries.
>>>
>>> Mike
>>>
>>> --
>>> Michael B Allen
>>> Java Active Directory Integration
>>> http://www.ioplex.com/
>>
>>
>
>
>
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/
>
>

> Hi again,
>
> Thanks for your suggestion. However, I'm still stuck with it ;( Indeed, I
> try to look up in the code of  jcifs.smb.SID.getServerSid() but everything
> becomes difficult without any api around ;(
>
> So I try the following code to send a message. But now, my question is about
> how to retrieve the answer of the DcerpcHandle after sending something?!?
>
>       DcerpcHandle handle = null;
>        LsaPolicyHandle policyHandle = null;
>        //MsrpcQueryInformationPolicy rpc;
>        lsarpc.LsarDomainInfo info = new lsarpc.LsarDomainInfo();
>
>        handle = DcerpcHandle.getHandle("ncacn_np:10.192.57.120"+
> "[\\PIPE\\EVENTLOG]", auth);
>
>
>        String s = "Application";
>        NdrBuffer buffer = new NdrBuffer(s.getBytes(),0);
>
>        String s1 = "10.192.57.120";
>        NdrBuffer buffer2 = new NdrBuffer(s1.getBytes(),0);
>
>        rpc.unicode_string logname = new rpc.unicode_string();
>        logname.encode(buffer);
>        rpc.unicode_string server = new rpc.unicode_string();
>        server.encode(buffer2);
>
>
>        eventlog.EventLogOpenEventLog event = new
> eventlog.EventLogOpenEventLog(logname,server);
>         handle.sendrecv(event);
>
> -----Original Message-----
> From: Michael B Allen [mailto:ioplex@...]
> Sent: dimanche, 20. septembre 2009 16:50
> To: Raffael Maio
> Cc: jcifs@...
> Subject: Re: [jcifs] EventLog patche question
>
> No, but search the archives. I'm pretty sure it was just something
> someone posted to the list. The date in the patch looks like
> 2007-03-20.
>
> I just looked at the patch. Two notes:
>
> 1. It's all DCERPC. This is good because all the decoding and encoding
> stuff is done for you and the DCERPC layer is very easy and clean in
> JCIFS. You just need to create an instance of each type of call (like
> new eventlog.EventLogOpenEventLog(logname, servername)) and then run
> it with DcerpcHandle.sendrecv. There are lots of examples of this in
> the JCIFS code. The jcifs.smb.SID.getServerSid() method is probably a
> good simple example of how to use the JCIFS DCERPC layer.
>
> 2. String handling is wrong. I don't know what type of strings the
> eventlog IDL uses but the patch modifies UnicodeString handling to
> compensate which is wrong and dangerous because it could effect other
> DCERPC code that uses UnicodeString. To fix this you would need to
> figure out how strings are handled properly with the eventlog
> interface, adjust the IDL, recompile the stub with midlc and adjust
> the code as necessary. Look at the Windows Server Protocol documents
> now available from Microsoft's website. There's probably a document
> about the eventlog interface with proper IDL. That IDL will show you
> how strings are supposed to be handled.
>
> Mike
>
> On Sun, Sep 20, 2009 at 9:14 AM, Raffael Maio <raffael.maio@...>
> wrote:
>> Do you have an idea about who did the patch and who would be able to
> provide
>> some docs about this new class?
>>
>> -----Original Message-----
>> From: Michael B Allen [mailto:ioplex@...]
>> Sent: samedi, 19. septembre 2009 22:48
>> To: Raffael Maio
>> Cc: jcifs@...
>> Subject: Re: [jcifs] EventLog patche question
>>
>> Oh. No. I have not looked at it since the day I placed it in the
>> patches directory.
>>
>> On Sat, Sep 19, 2009 at 12:39 PM, Raffael Maio <raffael.maio@...>
>> wrote:
>>> The question was more related to the eventlog class that has been created
>> in
>>> the patch directory. Do you have any information about how to use it?
>>>
>>> 2009/9/19 Michael B Allen <ioplex@...>
>>>>
>>>> On Sat, Sep 19, 2009 at 7:47 AM, Raffael Maio <raffael.maio@...>
>>>> wrote:
>>>> > Hi all,
>>>> >
>>>> >
>>>> >
>>>> > I seen on the patches directory that there is a new class called
>>>> > eventlog.
>>>> > I recompile the project in order to use this class and it seems to
>> work.
>>>> >
>>>> >
>>>> >
>>>> > However, now I would like to use it in my test program in order to
>>>> > access
>>>> > the eventlog of a remote machine. Does someone have an idea about how
>> to
>>>> > do
>>>> > it?! As there is yet no docs available I would appreciate if you  have
>>>> > already figure out this problem  to share it J
>>>> >
>>>> >
>>>> >
>>>> > Previously I was trying that to access the eventlog pipe like this
>>>> > (without
>>>> > success).
>>>> >
>>>> >
>>>> >
>>>> >         NtlmPasswordAuthentication auth = new
>>>> > NtlmPasswordAuthentication("TESTS;administrator:admin");
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >         SmbNamedPipe pipe = new SmbNamedPipe(
>>>> > "smb://10.192.10.10/IPC$/EVENTLOG",
>>>> >
>>>> >               SmbNamedPipe.PIPE_TYPE_RDWR |
>>>> > SmbNamedPipe.PIPE_TYPE_TRANSACT
>>>> > , auth );
>>>> >
>>>> >         OutputStream out = pipe.getNamedPipeOutputStream();
>>>> >
>>>> >         InputStream in = pipe.getNamedPipeInputStream();
>>>> >
>>>> >
>>>> >
>>>> > What would be the new way accessing the eventlog now with the new
>>>> > classes?
>>>>
>>>> Get WireShark, capture the transaction and see if it decodes the
>>>> response. Then you can write some code to pick apart the entries.
>>>>
>>>> Mike
>>>>
>>>> --
>>>> Michael B Allen
>>>> Java Active Directory Integration
>>>> http://www.ioplex.com/
>>>
>>>
>>
>>
>>
>> --
>> Michael B Allen
>> Java Active Directory Integration
>> http://www.ioplex.com/
>>
>>
>
>
>
> --
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/
>
>

> Hi all,
>
> What does this exception mean when the policyHandle is going to be
> initialized?
>
>
> Exception in thread "main" jcifs.dcerpc.DcerpcException:
> DCERPC_FAULT_OP_RNG_ERROR
>        at jcifs.dcerpc.DcerpcMessage.getResult(DcerpcMessage.java:45)
>        at jcifs.dcerpc.DcerpcHandle.sendrecv(DcerpcHandle.java:242)
>        at
> jcifs.dcerpc.msrpc.LsaPolicyHandle.<init>(LsaPolicyHandle.java:34)
>        at CallNamedPipe.main(CallNamedPipe.java:111)
>
> Regards,
>
> Raffael
>
>

> Question in the example CallNamedPipe, if I change the type of Call to
> transact, I get an timeout waiting respose. Does anyone experience the same
> problem?
>
>
> Exception in thread "main" jcifs.smb.SmbException:
> Transport1[netguard-gevo/192.168.0.103:445] timedout waiting for response to
> TransTransactNamedPipe[command=SMB_COM_TRANSACTION,received=false,errorCode=
> 0,flags=0x0018,flags2=0xC803,signSeq=0,tid=20484,pid=43182,uid=45058,mid=6,w
> ordCount=16,byteCount=39,totalParameterCount=0,totalDataCount=24,maxParamete
> rCount=0,maxDataCount=65535,maxSetupCount=0,flags=0x00,timeout=0,parameterCo
> unt=0,parameterOffset=82,parameterDisplacement=0,dataCount=24,dataOffset=82,
> dataDisplacement=0,setupCount=2,pad=0,pad1=0,pipeFid=12]
> jcifs.util.transport.TransportException:
> Transport1[netguard-gevo/192.168.0.103:445] timedout waiting for response to
> TransTransactNamedPipe[command=SMB_COM_TRANSACTION,received=false,errorCode=
> 0,flags=0x0018,flags2=0xC803,signSeq=0,tid=20484,pid=43182,uid=45058,mid=6,w
> ordCount=16,byteCount=39,totalParameterCount=0,totalDataCount=24,maxParamete
> rCount=0,maxDataCount=65535,maxSetupCount=0,flags=0x00,timeout=0,parameterCo
> unt=0,parameterOffset=82,parameterDisplacement=0,dataCount=24,dataOffset=82,
> dataDisplacement=0,setupCount=2,pad=0,pad1=0,pipeFid=12]
>        at jcifs.smb.SmbTransport.send(SmbTransport.java:613)
>        at jcifs.smb.SmbSession.send(SmbSession.java:224)
>        at jcifs.smb.SmbTree.send(SmbTree.java:111)
>        at jcifs.smb.SmbFile.send(SmbFile.java:770)
>        at
> jcifs.smb.TransactNamedPipeOutputStream.write(TransactNamedPipeOutputStream.
> java:65)
>        at CallNamedPipe.main(CallNamedPipe.java:72)
>
>