eventwatcher

package module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 13, 2024 License: MIT Imports: 7 Imported by: 0

README

EventWatcher

Overview

EventWatcher is an open-source library designed for monitoring Windows Event Logs in real-time. It provides a robust and efficient solution for tracking and reacting to system events, application logs, and other important event sources. This library is particularly useful for developers and system administrators who need to monitor event logs for debugging, auditing, and system management purposes.

Usage

To use the EventWatcher library, you need to:

  1. Create an EventNotifier instance.
  2. Add event watchers for the logs you are interested in.
  3. Listen for event data on the EventLogChannel.
  4. Ensure a graceful shutdown by properly closing the EventNotifier.

Installation

To install the EventWatcher library, run:

go get github.com/auuunya/eventwatcher

Example

package main

import (
	"github.com/auuunya/eventwatcher"
)

func main() {
	ctx := context.Background()
	notify := eventwatcher.NewEventNotifier(ctx)
	defer notify.Close()

	channels := []string{"Application", "System", "Microsoft-Windows-Kernel-Dump/Operational"}
	for _, channel := range channels {
		err := notify.AddWatcher(channel)
		if err != nil {
			continue
		}
	}

	go func() {
		for ch := range notify.EventLogChannel {
			fmt.Printf("event entry: %v\n", ch)
		}
	}()

	quit := make(chan os.Signal, 1)
	signal.Notify(quit, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
	<-quit
}

Windows powershell add event

Write-EventLog -LogName "Application" -Source "TestSource" -EventID 1000 -EntryType Information -Message "Application Test Info"

Windows cmd add event

eventcreate /ID 10001 /L APPLICATION /T INFORMATION  /SO MYEVENTSOURCE /D "Test Application Infomation"

Contribution

Contributions are welcome! Feel free to open issues or submit pull requests on the GitHub repository.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Documentation

Index

Constants

View Source 
const (
	InvalidHandle = syscall.Handle(0)

	ERROR_HANDLE_EOF          syscall.Errno = 38
	ERROR_INSUFFICIENT_BUFFER syscall.Errno = 122
	ERROR_NO_MORE_ITEMS       syscall.Errno = 259
	NO_ERROR                                = 0
)
View Source 
const (
	EVENTLOG_SUCCESS          = 0x0000
	EVENTLOG_ERROR_TYPE       = 0x0001
	EVENTLOG_WARNING_TYPE     = 0x0002
	EVENTLOG_INFORMATION_TYPE = 0x0004
	EVENTLOG_AUDIT_SUCCESS    = 0x0008
	EVENTLOG_AUDIT_FAILURE    = 0x0010
)
View Source 
const (
	EVENTLOG_SEEK_READ       = 0x0002
	EVENTLOG_SEQUENTIAL_READ = 0x0001

	EVENTLOG_FORWARDS_READ  = 0x0004
	EVENTLOG_BACKWARDS_READ = 0x0008
)

https://learn.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-readeventloga

Variables

This section is empty.

Functions

func CloseEventLog 

func CloseEventLog(handle syscall.Handle) error

func CloseHandle 

func CloseHandle(handle syscall.Handle) error

func CreateEvent 

func CreateEvent(
	eventAttributes *syscall.SecurityAttributes,
	manualReset, initialState uint32,
	name *uint16,
) (syscall.Handle, error)

func DeregisterEventSource 

func DeregisterEventSource(log syscall.Handle) error

func EventLogRecordNumber 

func EventLogRecordNumber(handle syscall.Handle) (uint32, error)

func EvtClose 

func EvtClose(handle syscall.Handle) error

func EvtNextChannelPath 

func EvtNextChannelPath(handle syscall.Handle) ([]string, error)

func EvtOpenChannelEnum 

func EvtOpenChannelEnum(session syscall.Handle) (syscall.Handle, error)

func FormatContent added in v0.1.1 

func FormatContent(buf []byte) string

func FormatMessage 

func FormatMessage(errorCode uint32) string

func LookupAccountSid 

func LookupAccountSid(buf []byte, sidlen, sidoffset uint32) (string, string, error)

LookupAccountSid retrieves the account name and domain name for the specified SID.

func NotifyChangeEventLog 

func NotifyChangeEventLog(handle, event syscall.Handle) error

func OpenEventLog 

func OpenEventLog(name string) (syscall.Handle, error)

func ReadEventLog 

func ReadEventLog(handle syscall.Handle, flags, offset uint32) ([]byte, error)

func RegisterEventSource 

func RegisterEventSource(uncServerName, sourceName *uint16) (handle syscall.Handle, err error)

func ReportEvent 

func ReportEvent(log syscall.Handle, etype uint16, category uint16, eventID uint32, userSid *windows.SID, strings []string, binaryData []byte) error

func ResetEvent 

func ResetEvent(handle syscall.Handle) error

func SetEvent 

func SetEvent(handle syscall.Handle) error

func WaitForMultipleObjects 

func WaitForMultipleObjects(
	handles []syscall.Handle,
	waitAll bool,
	waitMilliseconds uint32,
) (event uint32, err error)

Types

type EventEntry added in v0.1.1 

type EventEntry struct {
	Name   string         `json:"name"`
	Handle syscall.Handle `json:"handle"`
	Buffer []byte         `json:"buffer"`
}

type EventLogRecord 

type EventLogRecord struct {
	Length              uint32
	Reserved            uint32
	RecordNumber        uint32
	TimeGenerated       uint32
	TimeWritten         uint32
	EventID             uint32
	EventType           uint16
	NumStrings          uint16
	EventCategory       uint16
	ReservedFlags       uint16
	ClosingRecordNumber uint32
	StringOffset        uint32
	UserSidLength       uint32
	UserSidOffset       uint32
	DataLength          uint32
	DataOffset          uint32
}

func ParseEventLogData 

func ParseEventLogData(buf []byte) *EventLogRecord

ParseEventLogData parses the event log data.

func ParserEventLogData 

func ParserEventLogData(buf []byte) (*EventLogRecord, error)

type EventNotifier 

type EventNotifier struct {
	EventLogChannel chan *EventEntry
	// contains filtered or unexported fields
}

EventNotifier manages a collection of EventWatchers.

func NewEventNotifier 

func NewEventNotifier(ctx context.Context) *EventNotifier

NewEventNotifier creates a new EventNotifier instance.

func (*EventNotifier) AddWatcher 

func (en *EventNotifier) AddWatcher(name string) error

AddWatcher adds a new EventWatcher to the EventNotifier.

func (*EventNotifier) Close 

func (en *EventNotifier) Close()

Close shuts down all EventWatchers and waits for them to exit.

func (*EventNotifier) GetWatcher 

func (en *EventNotifier) GetWatcher(name string) (*EventWatcher, error)

GetWatcher retrieves an EventWatcher by name.

func (*EventNotifier) RemoveWatcher 

func (en *EventNotifier) RemoveWatcher(name string) error

RemoveWatcher removes an EventWatcher from the EventNotifier.

type EventWatcher 

type EventWatcher struct {
	Name string
	// contains filtered or unexported fields
}

EventWatcher monitors an event log for changes.

func NewEventWatcher 

func NewEventWatcher(ctx context.Context, name string, eventChan chan *EventEntry) *EventWatcher

NewEventWatcher creates a new EventWatcher instance.

func (*EventWatcher) Close 

func (ew *EventWatcher) Close()

Close cancels the context and triggers the cancel event.

func (*EventWatcher) CloseHandles 

func (ew *EventWatcher) CloseHandles() error

CloseHandles closes all handles associated with the EventWatcher.

func (*EventWatcher) Init 

func (ew *EventWatcher) Init() error

Init initializes the EventWatcher instance.

func (*EventWatcher) Listen 

func (ew *EventWatcher) Listen()

Listen monitors the event log and processes changes.

type SID_NAME_USE 

type SID_NAME_USE uint32
const (
	// https://learn.microsoft.com/zh-cn/windows/win32/api/winnt/ne-winnt-sid_name_use
	SidTypeUser SID_NAME_USE = iota + 1
	SidTypeGroup
	SidTypeDomain
	SidTypeAlias
	SidTypeWellKnownGroup
	SidTypeDeletedAccount
	SidTypeInvalid
	SidTypeUnknown
	SidTypeComputer
	SidTypeLabel
	SidTypeLogonSession
)

Source Files

View all Source files

Directories

Path Synopsis
_example
eventfull
multiple

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.