sys

package
v6.0.0-rc1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 25, 2017 License: Apache-2.0 Imports: 8 Imported by: 163

Documentation

Overview

Package sys provides common data structures and utilties functions that are used by the subpackages for interfacing with the system level APIs to collect event log records from Windows.

Index

Constants

This section is empty.

Variables

View Source
var ErrBufferTooSmall = errors.New("buffer too small")

Functions

func RemoveWindowsLineEndings

func RemoveWindowsLineEndings(s string) string

RemoveWindowsLineEndings replaces carriage return line feed (CRLF) with line feed (LF) and trims any newline character that may exist at the end of the string.

func UTF16BytesToString

func UTF16BytesToString(b []byte) (string, int, error)

UTF16BytesToString returns a string that is decoded from the UTF-16 bytes. The byte slice must be of even length otherwise an error will be returned. The integer returned is the offset to the start of the next string with buffer if it exists, otherwise -1 is returned.

func UTF16ToUTF8Bytes

func UTF16ToUTF8Bytes(in []byte, out io.Writer) error

Types

type ByteBuffer

type ByteBuffer struct {
	// contains filtered or unexported fields
}

ByteBuffer is an expandable buffer backed by a byte slice.

func NewByteBuffer

func NewByteBuffer(initialSize int) *ByteBuffer

NewByteBuffer creates a new ByteBuffer with an initial capacity of initialSize.

func (*ByteBuffer) Bytes

func (b *ByteBuffer) Bytes() []byte

Bytes returns a slice of length b.Len() holding the bytes that have been written to the buffer.

func (*ByteBuffer) Len

func (b *ByteBuffer) Len() int

Len returns the number of bytes that have been written to the buffer.

func (*ByteBuffer) Reset

func (b *ByteBuffer) Reset()

Reset resets the buffer to be empty. It retains the same underlying storage.

func (*ByteBuffer) Write

func (b *ByteBuffer) Write(p []byte) (int, error)

Write appends the contents of p to the buffer, growing the buffer as needed. The return value is the length of p; err is always nil.

type Correlation

type Correlation struct {
	ActivityID        string `xml:"ActivityID,attr"`
	RelatedActivityID string `xml:"RelatedActivityID,attr"`
}

Correlation contains activity identifiers that consumers can use to group related events together.

type Event

type Event struct {
	// System
	Provider        Provider        `xml:"System>Provider"`
	EventIdentifier EventIdentifier `xml:"System>EventID"`
	Version         uint8           `xml:"System>Version"`
	LevelRaw        uint8           `xml:"System>Level"`
	TaskRaw         uint16          `xml:"System>Task"`
	OpcodeRaw       uint8           `xml:"System>Opcode"`
	TimeCreated     TimeCreated     `xml:"System>TimeCreated"`
	RecordID        uint64          `xml:"System>EventRecordID"`
	Correlation     Correlation     `xml:"System>Correlation"`
	Execution       Execution       `xml:"System>Execution"`
	Channel         string          `xml:"System>Channel"`
	Computer        string          `xml:"System>Computer"`
	User            SID             `xml:"System>Security"`

	EventData EventData `xml:"EventData"`
	UserData  UserData  `xml:"UserData"`

	// RenderingInfo
	Message  string   `xml:"RenderingInfo>Message"`
	Level    string   `xml:"RenderingInfo>Level"`
	Task     string   `xml:"RenderingInfo>Task"`
	Opcode   string   `xml:"RenderingInfo>Opcode"`
	Keywords []string `xml:"RenderingInfo>Keywords>Keyword"`

	// ProcessingErrorData
	RenderErrorCode         uint32 `xml:"ProcessingErrorData>ErrorCode"`
	RenderErrorDataItemName string `xml:"ProcessingErrorData>DataItemName"`
	RenderErr               string
}

Event holds the data from a log record.

func UnmarshalEventXML

func UnmarshalEventXML(rawXML []byte) (Event, error)

UnmarshalEventXML unmarshals the given XML into a new Event.

type EventData

type EventData struct {
	Pairs []KeyValue `xml:",any"`
}

EventData contains the event data. The EventData section is used if the message provider template does not contain a UserData section.

type EventIdentifier

type EventIdentifier struct {
	Qualifiers uint16 `xml:"Qualifiers,attr"`
	ID         uint32 `xml:",chardata"`
}

EventIdentifier is the identifer that the provider uses to identify a specific event type.

type Execution

type Execution struct {
	ProcessID uint32 `xml:"ProcessID,attr"`
	ThreadID  uint32 `xml:"ThreadID,attr"`

	// Only available for events logged to an event tracing log file (.etl file).
	ProcessorID   uint32 `xml:"ProcessorID,attr"`
	SessionID     uint32 `xml:"SessionID,attr"`
	KernelTime    uint32 `xml:"KernelTime,attr"`
	UserTime      uint32 `xml:"UserTime,attr"`
	ProcessorTime uint32 `xml:"ProcessorTime,attr"`
}

Execution contains information about the process and thread that logged the event.

type FileHandle

type FileHandle struct {
	File   string  // Fully-qualified path to the event message file.
	Handle uintptr // Handle to the loaded event message file.
	Err    error   // Error that occurred while loading Handle.
}

FileHandle contains the handle to a single Windows message file.

type InsufficientBufferError

type InsufficientBufferError struct {
	Cause        error
	RequiredSize int // Size of the buffer that is required.
}

InsufficientBufferError indicates the buffer passed to a system call is too small.

func (InsufficientBufferError) Error

func (e InsufficientBufferError) Error() string

Error returns the cause of the insufficient buffer error.

type KeyValue

type KeyValue struct {
	Key   string
	Value string
}

KeyValue is a key value pair of strings.

func (*KeyValue) UnmarshalXML

func (kv *KeyValue) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error

UnmarshalXML unmarshals an arbitrary XML element into a KeyValue. The key becomes the name of the element or value of the Name attribute if it exists. The value is the character data contained within the element.

type MessageFiles

type MessageFiles struct {
	SourceName string
	Err        error
	Handles    []FileHandle
}

MessageFiles contains handles to event message files associated with an event log source.

type Provider

type Provider struct {
	Name            string `xml:"Name,attr"`
	GUID            string `xml:"Guid,attr"`
	EventSourceName string `xml:"EventSourceName,attr"`
}

Provider identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.

type SID

type SID struct {
	Identifier string `xml:"UserID,attr"`
	Name       string
	Domain     string
	Type       SIDType
}

SID represents the Windows Security Identifier for an account.

func (SID) String

func (a SID) String() string

String returns string representation of SID.

type SIDType

type SIDType uint32

SIDType identifies the type of a security identifier (SID).

const (
	// Do not reorder.
	SidTypeUser SIDType = 1 + iota
	SidTypeGroup
	SidTypeDomain
	SidTypeAlias
	SidTypeWellKnownGroup
	SidTypeDeletedAccount
	SidTypeInvalid
	SidTypeUnknown
	SidTypeComputer
	SidTypeLabel
)

SIDType values.

func (SIDType) String

func (st SIDType) String() string

String returns string representation of SIDType.

type TimeCreated

type TimeCreated struct {
	SystemTime time.Time
}

TimeCreated contains the system time of when the event was logged.

func (*TimeCreated) UnmarshalXML

func (t *TimeCreated) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error

UnmarshalXML unmarshals an XML dataTime string.

type UserData

type UserData struct {
	Name  xml.Name
	Pairs []KeyValue
}

UserData contains the event data.

func (*UserData) UnmarshalXML

func (u *UserData) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error

UnmarshalXML unmarshals UserData XML.

Directories

Path Synopsis
Package eventlogging provides access to the Event Logging API that was designed for applications that run on the Windows Server 2003, Windows XP, or Windows 2000 operating system.
Package eventlogging provides access to the Event Logging API that was designed for applications that run on the Windows Server 2003, Windows XP, or Windows 2000 operating system.
Package wineventlog provides access to the Windows Event Log API used in all versions of Windows since Vista (i.e.
Package wineventlog provides access to the Windows Event Log API used in all versions of Windows since Vista (i.e.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL