Monitor System DNS client queries

systemdns/dnsevtlog/events.go

@@ -0,0 +1,139 @@
+//go:build windows
+// +build windows
+
+package dnsevtlog
+
+// This code is copied from Promtail v1.6.2-0.20231004111112-07cbef92268a with minor changes.
+
+import (
+ "fmt"
+ "sync"
+ "time"
+
+ "golang.org/x/sys/windows"
+
+ "github.com/safing/portbase/log"
+ "github.com/safing/portmaster/systemdns/dnsevtlog/win_eventlog"
+)
+
+type Subscription struct {
+ subscription win_eventlog.EvtHandle
+ fetcher *win_eventlog.EventFetcher
+
+ eventLogName string
+ eventLogQuery string
+
+ ready bool
+ done chan struct{}
+ wg sync.WaitGroup
+ err error
+}
+
+// NewSubscription create a new windows event subscriptions.
+func NewSubscription() (*Subscription, error) {
+ sigEvent, err := windows.CreateEvent(nil, 0, 0, nil)
+ if err != nil {
+ return nil, err
+ }
+ defer windows.CloseHandle(sigEvent)
+
+ t := &Subscription{
+ eventLogName: "Microsoft-Windows-DNS-Client/Operational",
+ eventLogQuery: "*",
+ done: make(chan struct{}),
+ fetcher: win_eventlog.NewEventFetcher(),
+ }
+
+ subsHandle, err := win_eventlog.EvtSubscribe(t.eventLogName, t.eventLogQuery)
+ if err != nil {
+ return nil, fmt.Errorf("error subscribing to windows events: %w", err)
+ }
+ t.subscription = subsHandle
+
+ return t, nil
+}
+
+// loop fetches new events and send them to via the Loki client.
+func (t *Subscription) ReadWorker() {
+ t.ready = true
+ t.wg.Add(1)
+ interval := time.NewTicker(time.Second)
+ defer func() {
+ t.ready = false
+ t.wg.Done()
+ interval.Stop()
+ }()
+
+ for {
+
+ loop:
+ for {
+ // fetch events until there's no more.
+ events, handles, err := t.fetcher.FetchEvents(t.subscription, 1033) // 1033: English
+ if err != nil {
+ if err != win_eventlog.ERROR_NO_MORE_ITEMS {
+ t.err = err
+ log.Warningf("dns event log: failed to fetch events: %s", err)
+ } else {
+ log.Debug("dns event log: no more entries")
+ }
+ break loop
+ }
+ t.err = nil
+ // we have received events to handle.
+ for _, entry := range events {
+ log.Debugf("dns event log: %+v", entry)
+ }
+ win_eventlog.Close(handles)
+ }
+ // no more messages we wait for next poll timer tick.
+ select {
+ case <-t.done:
+ return
+ case <-interval.C:
+ }
+ }
+}
+
+// renderEntries renders Loki entries from windows event logs
+// func (t *Subscription) renderEntries(events []win_eventlog.Event) []api.Entry {
+// res := make([]api.Entry, 0, len(events))
+// lbs := labels.NewBuilder(nil)
+// for _, event := range events {
+// entry := api.Entry{
+// Labels: make(model.LabelSet),
+// }
+
+// entry.Timestamp = time.Now()
+// if t.cfg.UseIncomingTimestamp {
+// timeStamp, err := time.Parse(time.RFC3339Nano, fmt.Sprintf("%v", event.TimeCreated.SystemTime))
+// if err != nil {
+// level.Warn(t.logger).Log("msg", "error parsing timestamp", "err", err)
+// } else {
+// entry.Timestamp = timeStamp
+// }
+// }
+
+// for _, lbl := range processed {
+// if strings.HasPrefix(lbl.Name, "__") {
+// continue
+// }
+// entry.Labels[model.LabelName(lbl.Name)] = model.LabelValue(lbl.Value)
+// }
+
+// line, err := formatLine(t.cfg, event)
+// if err != nil {
+// level.Warn(t.logger).Log("msg", "error formatting event", "err", err)
+// continue
+// }
+// entry.Line = line
+// res = append(res, entry)
+// }
+// return res
+// }
+
+func (t *Subscription) Stop() error {
+ close(t.done)
+ t.wg.Wait()
+ return t.err
+}

systemdns/dnsevtlog/testevtlog/main.go

@@ -0,0 +1,26 @@
+package main
+
+import (
+ "fmt"
+ "os"
+
+ "github.com/safing/portbase/log"
+ "github.com/safing/portmaster/systemdns/dnsevtlog"
+)
+
+func main() {
+ log.SetLogLevel(log.DebugLevel)
+ err := log.Start()
+ if err != nil {
+ fmt.Print(err)
+ os.Exit(1)
+ }
+
+ sub, err := dnsevtlog.NewSubscription()
+ if err != nil {
+ fmt.Print(err)
+ os.Exit(1)
+ }
+
+ sub.ReadWorker()
+}

systemdns/dnsevtlog/win_eventlog/LICENSE

@@ -0,0 +1,22 @@
+
+The MIT License (MIT)
+
+Copyright (c) 2015-2020 InfluxData Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

systemdns/dnsevtlog/win_eventlog/README.md

@@ -0,0 +1,6 @@
+# Windows Event Log
+
+This is a fork of https://github.com/influxdata/telegraf/tree/master/plugins/inputs/win_eventlog to re-use most of the syscall implementation for the eventlog.
+
+It is simplified in order to just subscribe to events.
+

systemdns/dnsevtlog/win_eventlog/event.go

@@ -0,0 +1,94 @@
+// The MIT License (MIT)
+
+// Copyright (c) 2015-2020 InfluxData Inc.
+
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+
+//go:build windows
+// +build windows
+
+// Package win_eventlog Input plugin to collect Windows Event Log messages
+//
+//revive:disable-next-line:var-naming
+package win_eventlog
+
+// Event is the event entry representation
+// Only the most common elements are processed, human-readable data is rendered in Message
+// More info on schema, if there will be need to add more:
+// https://docs.microsoft.com/en-us/windows/win32/wes/eventschema-elements
+type Event struct {
+ Source Provider `xml:"System>Provider"`
+ EventID int `xml:"System>EventID"`
+ Version int `xml:"System>Version"`
+ Level int `xml:"System>Level"`
+ Task int `xml:"System>Task"`
+ Opcode int `xml:"System>Opcode"`
+ Keywords string `xml:"System>Keywords"`
+ TimeCreated TimeCreated `xml:"System>TimeCreated"`
+ EventRecordID int `xml:"System>EventRecordID"`
+ Correlation Correlation `xml:"System>Correlation"`
+ Execution Execution `xml:"System>Execution"`
+ Channel string `xml:"System>Channel"`
+ Computer string `xml:"System>Computer"`
+ Security Security `xml:"System>Security"`
+ UserData UserData `xml:"UserData"`
+ EventData EventData `xml:"EventData"`
+ Message string
+ LevelText string
+ TaskText string
+ OpcodeText string
+}
+
+// UserData Application-provided XML data
+type UserData struct {
+ InnerXML []byte `xml:",innerxml"`
+}
+
+// EventData Application-provided XML data
+type EventData struct {
+ InnerXML []byte `xml:",innerxml"`
+}
+
+// Provider is the Event provider information
+type Provider struct {
+ Name string `xml:"Name,attr"`
+}
+
+// Correlation is used for the event grouping
+type Correlation struct {
+ ActivityID string `xml:"ActivityID,attr"`
+ RelatedActivityID string `xml:"RelatedActivityID,attr"`
+}
+
+// Execution Info for Event
+type Execution struct {
+ ProcessID uint32 `xml:"ProcessID,attr"`
+ ThreadID uint32 `xml:"ThreadID,attr"`
+ ProcessName string
+}
+
+// Security Data for Event
+type Security struct {
+ UserID string `xml:"UserID,attr"`
+}
+
+// TimeCreated field for Event
+type TimeCreated struct {
+ SystemTime string `xml:"SystemTime,attr"`
+}

systemdns/dnsevtlog/win_eventlog/syscall_windows.go

@@ -0,0 +1,67 @@
+// The MIT License (MIT)
+
+// Copyright (c) 2015-2020 InfluxData Inc.
+
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+//go:build windows
+// +build windows
+
+// Package win_eventlog Input plugin to collect Windows Event Log messages
+//
+//revive:disable-next-line:var-naming
+package win_eventlog
+
+import (
+ "syscall"
+)
+
+// Event log error codes.
+// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx
+const (
+ //revive:disable:var-naming
+ ERROR_INSUFFICIENT_BUFFER syscall.Errno = 122
+ ERROR_NO_MORE_ITEMS syscall.Errno = 259
+ ERROR_INVALID_OPERATION syscall.Errno = 4317
+ //revive:enable:var-naming
+)
+
+// EvtSubscribeFlag defines the possible values that specify when to start subscribing to events.
+type EvtSubscribeFlag uint32
+
+// EVT_SUBSCRIBE_FLAGS enumeration
+// https://msdn.microsoft.com/en-us/library/windows/desktop/aa385588(v=vs.85).aspx
+const (
+ EvtSubscribeToFutureEvents EvtSubscribeFlag = 1
+ EvtSubscribeStartAtOldestRecord EvtSubscribeFlag = 2
+ EvtSubscribeStartAfterBookmark EvtSubscribeFlag = 3
+)
+
+// EvtRenderFlag uint32
+type EvtRenderFlag uint32
+
+// EVT_RENDER_FLAGS enumeration
+// https://msdn.microsoft.com/en-us/library/windows/desktop/aa385563(v=vs.85).aspx
+const (
+ //revive:disable:var-naming
+ // Render the event as an XML string. For details on the contents of the
+ // XML string, see the Event schema.
+ EvtRenderEventXml EvtRenderFlag = 1
+ //revive:enable:var-naming
+ EvtRenderBookmark EvtRenderFlag = 2
+)