[jcifs] JCIFS and forwarded events/subscriptions

[vianney]

Bonjour!

So I am trying to retrieve and view events from a windows event collector which 
is subscribed to several hosts (various log types, various Windows versions, 
to make things interesting) and while overall the collection works ok, there are 
a few important issues impeding the process:

- Collection is based on sequential recordID (I do some additional timestamp 
checks) but the recordID in that case is the one on the origin host, meaning 
they're sequential only in small batches, and can be all over the place in the 
event log.
Note that timestamps are a bit all over the place too, since they depend on when 
each host sends its events, its exact time settings etc.

- The event log name historically is the one I'm asking for, so it's pretty easy 
to know ;) but in the case of Forwarded Events this is not true anymore. In 
Windows Event Viewer I can still see it listed correctly, and appearing as 
"Channel" in the XML, but the Jcifs EventLogRecord instance doesn't seem to 
decode that, if it's part of the input at all.

- Likewise, the OS version does not appear anywhere in the record - one could 
probably infer it from the eventID for security events at least, 
but for the other log types, I do not know.

Any help, insights or horror stories are welcome!

Vianney