winlog

package
v0.0.0-...-424d171 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 18, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package winlog generates Windows Event Log XML records.

Configuration: 

event_id: (number, optional) If provided, generated events using this ID.
          Must be one of the registered event IDs. See 'eventRandomizers'
          for the list of valid IDs. If not provided, the generator will
          randomly select from the available list for each record.

- generator:
    type: winlog
    event_id: 4768

Index

Constants

View Source 
const Name = "winlog"

Variables

This section is empty.

Functions

func New 

func New(cfg *ucfg.Config) (generator.Generator, error)

New is the factory for Windows Event XML objects.

func RandomComputerName 

func RandomComputerName(domain string) string

RandomComputerName generates a random computer name. If domain is provided, it will be app.

func RandomDomain 

func RandomDomain() string

RandomDomain generates a random domain.

func RandomSID 

func RandomSID() string

RandomSID generates a random SID.

func RandomServiceSID 

func RandomServiceSID(name string) string

RandomServiceSID generates a random SID for a service with name. If a SID has already been generated for this name, it will be returned.

func RandomUser 

func RandomUser() string

RandomUser generates a random user name.

func RandomUserSID 

func RandomUserSID(name string) string

RandomUserSID generates a random SID for a user with name. If a SID has already been generated for this name, it will be returned.

Types

type Correlation 

type Correlation struct {
	ActivityID        string `xml:"ActivityID,attr,omitempty"`
	RelatedActivityID string `xml:"RelatedActivityID,attr,omitempty"`
}

Correlation contains activity identifiers that consumers can use to group related events together.

type Event 

type Event struct {
	XMLName xml.Name `xml:"http://schemas.microsoft.com/win/2004/08/events/event Event"`

	Provider    Provider    `xml:"System>Provider"`
	EventID     EventID     `xml:"System>EventID"`
	Version     uint8       `xml:"System>Version"`
	Level       uint8       `xml:"System>Level"`
	Task        uint16      `xml:"System>Task"`
	Opcode      uint8       `xml:"System>Opcode"`
	Keywords    HexUint64   `xml:"System>Keywords"`
	TimeCreated TimeCreated `xml:"System>TimeCreated"`
	RecordID    uint64      `xml:"System>EventRecordID"`
	Correlation Correlation `xml:"System>Correlation"`
	Execution   Execution   `xml:"System>Execution"`
	Channel     string      `xml:"System>Channel"`
	Computer    string      `xml:"System>Computer"`
	Security    Security    `xml:"System>Security"`

	EventData EventData `xml:"EventData"`
}

Event holds the random fields for a Windows Event Log record.

func RandomEvent 

func RandomEvent(eventID uint32, now time.Time) Event

func (*Event) AsTemplate 

func (e *Event) AsTemplate() winlog.EventTemplate

type EventData 

type EventData struct {
	Data []KeyValue `xml:",any"`
}

EventData contains the event data.

type EventID 

type EventID struct {
	Qualifiers uint16 `xml:"Qualifiers,attr,omitempty"`
	ID         uint32 `xml:",chardata"`
}

EventID is the identifier that the provider uses to identify a specific event type.

type Execution 

type Execution struct {
	ProcessID uint32 `xml:"ProcessID,attr"`
	ThreadID  uint32 `xml:"ThreadID,attr"`

	// Only available for events logged to an event tracing log file (.etl file).
	ProcessorID   uint32 `xml:"ProcessorID,attr,omitempty"`
	SessionID     uint32 `xml:"SessionID,attr,omitempty"`
	KernelTime    uint32 `xml:"KernelTime,attr,omitempty"`
	UserTime      uint32 `xml:"UserTime,attr,omitempty"`
	ProcessorTime uint32 `xml:"ProcessorTime,attr,omitempty"`
}

Execution contains information about the process and thread that logged the event.

type Generator 

type Generator struct {
	Event Event
	// contains filtered or unexported fields
}

Generator provides a Windows Event XML record generator.

func (*Generator) Next 

func (g *Generator) Next() ([]byte, error)

Next produces the next Windows Event XML record.

type HexUint64 

type HexUint64 uint64

HexUint64 is a uint64. When marshaled, it will be in hexadecimal format.

func (HexUint64) MarshalXML 

func (v HexUint64) MarshalXML(enc *xml.Encoder, start xml.StartElement) error

type KeyValue 

type KeyValue struct {
	Key   string `xml:"Name,attr"`
	Value string `xml:",chardata"`
}

KeyValue is a key value pair of strings.

type Provider 

type Provider struct {
	Name            string `xml:"Name,attr,omitempty"`
	GUID            string `xml:"GUID,attr,omitempty"`
	EventSourceName string `xml:"EventSourceName,attr,omitempty"`
}

Provider identifies the provider that logged the event.

type Security 

type Security struct {
	UserID string `xml:"UserID,attr,omitempty"`
}

Security represents the Windows Security Identifier for an account.

type TimeCreated 

type TimeCreated struct {
	SystemTime time.Time `xml:"SystemTime,attr"`
}

TimeCreated contains the system time of when the event was logged.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.