windows

package
v0.70.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2023 License: Apache-2.0 Imports: 1 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// EvtSubscribeToFutureEvents is a flag that will subscribe to only future events.
	EvtSubscribeToFutureEvents uint32 = 1
	// EvtSubscribeStartAtOldestRecord is a flag that will subscribe to all existing and future events.
	EvtSubscribeStartAtOldestRecord uint32 = 2
	// EvtSubscribeStartAfterBookmark is a flag that will subscribe to all events that begin after a bookmark.
	EvtSubscribeStartAfterBookmark uint32 = 3
)
View Source 
const (
	// ErrorSuccess is an error code that indicates the operation completed successfully.
	ErrorSuccess syscall.Errno = 0
	// ErrorNotSupported is an error code that indicates the operation is not supported.
	ErrorNotSupported syscall.Errno = 50
	// ErrorInsufficientBuffer is an error code that indicates the data area passed to a system call is too small
	ErrorInsufficientBuffer syscall.Errno = 122
	// ErrorNoMoreItems is an error code that indicates no more items are available.
	ErrorNoMoreItems syscall.Errno = 259
	// ErrorInvalidOperation is an error code that indicates the operation identifier is not valid
	ErrorInvalidOperation syscall.Errno = 4317
)
View Source 
const (
	// EvtRenderEventXML is a flag to render an event as an XML string
	EvtRenderEventXML uint32 = 1
	// EvtRenderBookmark is a flag to render a bookmark as an XML string
	EvtRenderBookmark uint32 = 2
)
View Source 
const (
	// EvtFormatMessageXML is flag that formats a message as an XML string that contains all event details and message strings.
	EvtFormatMessageXML uint32 = 9
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Bookmark 

type Bookmark struct {
	// contains filtered or unexported fields
}

Bookmark is a windows event bookmark.

func NewBookmark 

func NewBookmark() Bookmark

NewBookmark will create a new bookmark with an empty handle.

func (*Bookmark) Close 

func (b *Bookmark) Close() error

Close will close the bookmark handle.

func (*Bookmark) Open 

func (b *Bookmark) Open(offsetXML string) error

Open will open the bookmark handle using the supplied xml.

func (*Bookmark) Render 

func (b *Bookmark) Render(buffer Buffer) (string, error)

Render will render the bookmark as xml.

func (*Bookmark) Update 

func (b *Bookmark) Update(event Event) error

Update will update the bookmark using the supplied event.

type Buffer 

type Buffer struct {
	// contains filtered or unexported fields
}

Buffer is a buffer of utf-16 bytes.

func NewBuffer 

func NewBuffer() Buffer

NewBuffer creates a new buffer with the default buffer size

func (*Buffer) FirstByte 

func (b *Buffer) FirstByte() *byte

FirstByte will return a pointer to the first byte.

func (*Buffer) ReadBytes 

func (b *Buffer) ReadBytes(offset uint32) ([]byte, error)

ReadBytes will read UTF-8 bytes from the buffer, where offset is the number of bytes to be read

func (*Buffer) ReadString 

func (b *Buffer) ReadString(offset uint32) (string, error)

ReadString will read a UTF-8 string from the buffer.

func (*Buffer) ReadWideChars 

func (b *Buffer) ReadWideChars(offset uint32) ([]byte, error)

ReadWideChars will read UTF-8 bytes from the buffer, where offset is the number of wchars to read

func (*Buffer) SizeBytes 

func (b *Buffer) SizeBytes() uint32

SizeBytes will return the size of the buffer as number of bytes.

func (*Buffer) SizeWide 

func (b *Buffer) SizeWide() uint32

SizeWide returns the size of the buffer as number of wchars

func (*Buffer) UpdateSizeBytes 

func (b *Buffer) UpdateSizeBytes(size uint32)

UpdateSizeBytes will update the size of the buffer to fit size bytes.

func (*Buffer) UpdateSizeWide 

func (b *Buffer) UpdateSizeWide(size uint32)

UpdateSizeWide will update the size of the buffer to fit size wchars.

type Config added in v0.53.0 

type Config struct {
	helper.InputConfig `mapstructure:",squash"`
	Channel            string        `mapstructure:"channel"`
	MaxReads           int           `mapstructure:"max_reads,omitempty"`
	StartAt            string        `mapstructure:"start_at,omitempty"`
	PollInterval       time.Duration `mapstructure:"poll_interval,omitempty"`
	Raw                bool          `mapstructure:"raw,omitempty"`
}

Config is the configuration of a windows event log operator.

func NewConfig added in v0.53.0 

func NewConfig() *Config

NewConfig will return an event log config with default values.

func NewConfigWithID added in v0.59.0 

func NewConfigWithID(operatorID string) *Config

NewConfig will return an event log config with default values.

func (*Config) Build added in v0.53.0 

func (c *Config) Build(logger *zap.SugaredLogger) (operator.Operator, error)

Build will build a windows event log operator.

type Event 

type Event struct {
	// contains filtered or unexported fields
}

Event is an event stored in windows event log.

func NewEvent 

func NewEvent(handle uintptr) Event

NewEvent will create a new event from an event handle.

func (*Event) Close 

func (e *Event) Close() error

Close will close the event handle.

func (*Event) RenderFormatted 

func (e *Event) RenderFormatted(buffer Buffer, publisher Publisher) (EventXML, error)

RenderFormatted will render the event as EventXML with formatted info.

func (*Event) RenderRaw added in v0.70.0 

func (e *Event) RenderRaw(buffer Buffer) (EventRaw, error)

func (*Event) RenderSimple 

func (e *Event) RenderSimple(buffer Buffer) (EventXML, error)

RenderSimple will render the event as EventXML without formatted info.

type EventID 

type EventID struct {
	Qualifiers uint16 `xml:"Qualifiers,attr"`
	ID         uint32 `xml:",chardata"`
}

EventID is the identifier of the event.

type EventRaw added in v0.70.0 

type EventRaw struct {
	TimeCreated   TimeCreated `xml:"System>TimeCreated"`
	RenderedLevel string      `xml:"RenderingInfo>Level"`
	Level         string      `xml:"System>Level"`
	// contains filtered or unexported fields
}

EventRaw is the rendered xml of an event, however, its message is the original XML of the entire event.

type EventXML 

type EventXML struct {
	EventID          EventID     `xml:"System>EventID"`
	Provider         Provider    `xml:"System>Provider"`
	Computer         string      `xml:"System>Computer"`
	Channel          string      `xml:"System>Channel"`
	RecordID         uint64      `xml:"System>EventRecordID"`
	TimeCreated      TimeCreated `xml:"System>TimeCreated"`
	Message          string      `xml:"RenderingInfo>Message"`
	RenderedLevel    string      `xml:"RenderingInfo>Level"`
	Level            string      `xml:"System>Level"`
	RenderedTask     string      `xml:"RenderingInfo>Task"`
	Task             string      `xml:"System>Task"`
	RenderedOpcode   string      `xml:"RenderingInfo>Opcode"`
	Opcode           string      `xml:"System>Opcode"`
	RenderedKeywords []string    `xml:"RenderingInfo>Keywords>Keyword"`
	Keywords         []string    `xml:"System>Keywords"`
	EventData        []string    `xml:"EventData>Data"`
}

EventXML is the rendered xml of an event.

type Input added in v0.53.0 

type Input struct {
	helper.InputOperator
	// contains filtered or unexported fields
}

Input is an operator that creates entries using the windows event log api.

func (*Input) Start added in v0.53.0 

func (e *Input) Start(persister operator.Persister) error

Start will start reading events from a subscription.

func (*Input) Stop added in v0.53.0 

func (e *Input) Stop() error

Stop will stop reading events from a subscription.

type Provider 

type Provider struct {
	Name            string `xml:"Name,attr"`
	GUID            string `xml:"Guid,attr"`
	EventSourceName string `xml:"EventSourceName,attr"`
}

Provider is the provider of the event.

type Publisher 

type Publisher struct {
	// contains filtered or unexported fields
}

Publisher is a windows event metadata publisher.

func NewPublisher 

func NewPublisher() Publisher

NewPublisher will create a new publisher with an empty handle.

func (*Publisher) Close 

func (p *Publisher) Close() error

Close will close the publisher handle.

func (*Publisher) Open 

func (p *Publisher) Open(provider string) error

Open will open the publisher handle using the supplied provider.

type Subscription 

type Subscription struct {
	// contains filtered or unexported fields
}

Subscription is a subscription to a windows eventlog channel.

func NewSubscription 

func NewSubscription() Subscription

NewSubscription will create a new subscription with an empty handle.

func (*Subscription) Close 

func (s *Subscription) Close() error

Close will close the subscription.

func (*Subscription) Open 

func (s *Subscription) Open(channel string, startAt string, bookmark Bookmark) error

Open will open the subscription handle.

func (*Subscription) Read 

func (s *Subscription) Read(maxReads int) ([]Event, error)

Read will read events from the subscription.

type SyscallProc 

type SyscallProc interface {
	Call(...uintptr) (uintptr, uintptr, error)
}

SyscallProc is a syscall procedure.

type TimeCreated 

type TimeCreated struct {
	SystemTime string `xml:"SystemTime,attr"`
}

TimeCreated is the creation time of the event.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.