wineventlog

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2016 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Overview

Package wineventlog provides access to the Windows Event Log API used in all versions of Windows since Vista (i.e. Windows 7+ and Windows Server 2008+). This is distinct from the Event Logging API that was used in Windows XP, Windows Server 2003, and Windows 2000.

Index

Constants

View Source 
const (
	ERROR_INSUFFICIENT_BUFFER             syscall.Errno = 122
	ERROR_NO_MORE_ITEMS                   syscall.Errno = 259
	ERROR_NONE_MAPPED                     syscall.Errno = 1332
	ERROR_INVALID_OPERATION               syscall.Errno = 4317
	ERROR_EVT_MESSAGE_NOT_FOUND           syscall.Errno = 15027
	ERROR_EVT_MESSAGE_ID_NOT_FOUND        syscall.Errno = 15028
	ERROR_EVT_UNRESOLVED_VALUE_INSERT     syscall.Errno = 15029
	ERROR_EVT_UNRESOLVED_PARAMETER_INSERT syscall.Errno = 15030
)

Event log error codes. https://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx

Variables

View Source 
var (
	// ErrorEvtVarTypeNull is an error that means the content of the EVT_VARIANT
	// data is null.
	ErrorEvtVarTypeNull = errors.New("Null EVT_VARIANT data")
)

Errors

Functions

func Channels 

func Channels() ([]string, error)

Channels returns a list of channels that are registered on the computer.

func Close 

func Close(h EvtHandle) error

Close closes an EvtHandle.

func FormatEventString 

func FormatEventString(
	messageFlag EvtFormatMessageFlag,
	eventHandle EvtHandle,
	publisher string,
	publisherHandle EvtHandle,
	lang uint32,
	buffer []byte,
) ([]string, error)

FormatEventString formats part of the event as a string. messageFlag determines what part of the event is formatted as as string. eventHandle is the handle to the event. publisher is the name of the event's publisher. publisherHandle is a handle to the publisher's metadata as provided by EvtOpenPublisherMetadata. lang is the language ID. buffer is optional and if not provided it will be allocated. If the provided buffer is not large enough then an InsufficientBufferError will be returned.

func IsAvailable 

func IsAvailable() (bool, error)

IsAvailable returns true if the Windows Event Log API is supported by this operating system. If not supported then false is returned with the accompanying error.

func StringFromGUID 

func StringFromGUID(guid *syscall.GUID) (string, error)

StringFromGUID returns a displayable GUID string from the GUID struct.

Types

type Event 

type Event struct {
	// System context properties.
	ProviderName      string            `json:",omitempty"`
	ProviderGUID      string            `json:",omitempty"`
	EventID           uint16            `json:",omitempty"`
	Qualifiers        uint16            `json:",omitempty"`
	TimeCreated       *time.Time        `json:",omitempty"`
	RecordID          uint64            `json:",omitempty"`
	ActivityID        string            `json:",omitempty"`
	RelatedActivityID string            `json:",omitempty"`
	ProcessID         uint32            `json:",omitempty"`
	ThreadID          uint32            `json:",omitempty"`
	Channel           string            `json:",omitempty"`
	Computer          string            `json:",omitempty"`
	UserSID           *eventlogging.SID `json:",omitempty"`
	Version           uint8             `json:",omitempty"`

	Message    string `json:",omitempty"`
	MessageErr error

	Level    string `json:",omitempty"`
	LevelErr error

	Task    string `json:",omitempty"`
	TaskErr error

	Opcode    string `json:",omitempty"`
	OpcodeErr error

	Keywords      []string `json:",omitempty"`
	KeywordsError error
}

Event holds the data from the a log record.

func RenderEvent 

func RenderEvent(
	eventHandle EvtHandle,
	systemContext EvtHandle,
	lang uint32,
	renderBuf []byte,
	pubHandleProvider func(string) uintptr,
) (Event, error)

RenderEvent reads the event data associated with the EvtHandle and renders the data so that it can used.

type EvtFormatMessageFlag 

type EvtFormatMessageFlag uint32

EvtFormatMessageFlag defines the values that specify the message string from the event to format. 

const (
	// Format the event's message string.
	EvtFormatMessageEvent EvtFormatMessageFlag = iota + 1
	// Format the message string of the level specified in the event.
	EvtFormatMessageLevel
	// Format the message string of the task specified in the event.
	EvtFormatMessageTask
	// Format the message string of the task specified in the event.
	EvtFormatMessageOpcode
	// Format the message string of the keywords specified in the event. If the
	// event specifies multiple keywords, the formatted string is a list of
	// null-terminated strings. Increment through the strings until your pointer
	// points past the end of the used buffer.
	EvtFormatMessageKeyword
	// Format the message string of the channel specified in the event.
	EvtFormatMessageChannel
	// Format the provider's message string.
	EvtFormatMessageProvider
	// Format the message string associated with a resource identifier. The
	// provider's metadata contains the resource identifiers; the message
	// compiler assigns a resource identifier to each string when it compiles
	// the manifest.
	EvtFormatMessageId
	// Format all the message strings in the event. The formatted message is an
	// XML string that contains the event details and the message strings.
	EvtFormatMessageXml
)

EVT_FORMAT_MESSAGE_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385525(v=vs.85).aspx

type EvtHandle 

type EvtHandle uintptr

EvtHandle is a handle to the event log.

func CreateBookmark 

func CreateBookmark(channel string, recordID uint64) (EvtHandle, error)

CreateBookmark creates a new handle to a bookmark. Close must be called on returned EvtHandle when finished with the handle.

func EventHandles 

func EventHandles(subscription EvtHandle, maxHandles int) ([]EvtHandle, error)

EventHandles reads the event handles from a subscription. It attempt to read at most maxHandles. ErrorNoMoreHandles is returned when there are no more handles available to return. Close must be called on each returned EvtHandle when finished with the handle.

func OpenPublisherMetadata 

func OpenPublisherMetadata(
	session EvtHandle,
	publisherName string,
	lang uint32,
) (EvtHandle, error)

OpenPublisherMetadata opens a handle to the publisher's metadata. Close must be called on returned EvtHandle when finished with the handle.

func Subscribe 

func Subscribe(
	session EvtHandle,
	event windows.Handle,
	channelPath string,
	query string,
	bookmark EvtHandle,
	flags EvtSubscribeFlag,
) (EvtHandle, error)

Subscribe creates a new subscription to an event log channel.

type EvtRenderContextFlag 

type EvtRenderContextFlag uint32

EvtRenderContextFlag defines the values that specify the type of information to access from the event. 

const (
	// Render specific properties from the event.
	EvtRenderContextValues EvtRenderContextFlag = iota
	// Render the system properties under the System element.
	EvtRenderContextSystem
	// Render all user-defined properties under the UserData or EventData element.
	EvtRenderContextUser
)

EVT_RENDER_CONTEXT_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385561(v=vs.85).aspx

type EvtRenderFlag 

type EvtRenderFlag uint32

EvtRenderFlag defines the values that specify what to render. 

const (
	// Render the event properties specified in the rendering context.
	EvtRenderEventValues EvtRenderFlag = iota
	// Render the event as an XML string. For details on the contents of the
	// XML string, see the Event schema.
	EvtRenderEventXml
	// Render the bookmark as an XML string, so that you can easily persist the
	// bookmark for use later.
	EvtRenderBookmark
)

EVT_RENDER_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385563(v=vs.85).aspx

type EvtSubscribeFlag 

type EvtSubscribeFlag uint32

EvtSubscribeFlag defines the possible values that specify when to start subscribing to events. 

const (
	EvtSubscribeToFutureEvents      EvtSubscribeFlag = 1
	EvtSubscribeStartAtOldestRecord EvtSubscribeFlag = 2
	EvtSubscribeStartAfterBookmark  EvtSubscribeFlag = 3
	EvtSubscribeOriginMask          EvtSubscribeFlag = 0x3
	EvtSubscribeTolerateQueryErrors EvtSubscribeFlag = 0x1000
	EvtSubscribeStrict              EvtSubscribeFlag = 0x10000
)

EVT_SUBSCRIBE_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385588(v=vs.85).aspx

type EvtSystemPropertyID 

type EvtSystemPropertyID uint32

EvtSystemPropertyID defines the identifiers that identify the system-specific properties of an event. 

const (
	// Identifies the Name attribute of the provider element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemProviderName EvtSystemPropertyID = iota
	// Identifies the Guid attribute of the provider element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemProviderGuid
	// Identifies the EventID element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemEventID
	// Identifies the Qualifiers attribute of the EventID element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemQualifiers
	// Identifies the Level element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemLevel
	// Identifies the Task element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemTask
	// Identifies the Opcode element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemOpcode
	// Identifies the Keywords element.
	// The variant type for this property is EvtVarTypeInt64.
	EvtSystemKeywords
	// Identifies the SystemTime attribute of the TimeCreated element.
	// The variant type for this property is EvtVarTypeFileTime.
	EvtSystemTimeCreated
	// Identifies the EventRecordID element.
	// The variant type for this property is EvtVarTypeUInt64.
	EvtSystemEventRecordId
	// Identifies the ActivityID attribute of the Correlation element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemActivityID
	// Identifies the RelatedActivityID attribute of the Correlation element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemRelatedActivityID
	// Identifies the ProcessID attribute of the Execution element.
	// The variant type for this property is EvtVarTypeUInt32.
	EvtSystemProcessID
	// Identifies the ThreadID attribute of the Execution element.
	// The variant type for this property is EvtVarTypeUInt32.
	EvtSystemThreadID
	// Identifies the Channel element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemChannel
	// Identifies the Computer element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemComputer
	// Identifies the UserID element.
	// The variant type for this property is EvtVarTypeSid.
	EvtSystemUserID
	// Identifies the Version element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemVersion
	// This enumeration value marks the end of the enumeration values.
	EvtSystemPropertyIdEND
)

EVT_SYSTEM_PROPERTY_ID enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385606(v=vs.85).aspx

func (EvtSystemPropertyID) String 

func (e EvtSystemPropertyID) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.