wineventlog

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 14, 2016 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Overview

Package wineventlog provides access to the Windows Event Log API used in all versions of Windows since Vista (i.e. Windows 7+ and Windows Server 2008+). This is distinct from the Event Logging API that was used in Windows XP, Windows Server 2003, and Windows 2000.

Index

Constants

View Source
const (
	ERROR_INSUFFICIENT_BUFFER             syscall.Errno = 122
	ERROR_NO_MORE_ITEMS                   syscall.Errno = 259
	ERROR_NONE_MAPPED                     syscall.Errno = 1332
	ERROR_INVALID_OPERATION               syscall.Errno = 4317
	ERROR_EVT_MESSAGE_NOT_FOUND           syscall.Errno = 15027
	ERROR_EVT_MESSAGE_ID_NOT_FOUND        syscall.Errno = 15028
	ERROR_EVT_UNRESOLVED_VALUE_INSERT     syscall.Errno = 15029
	ERROR_EVT_UNRESOLVED_PARAMETER_INSERT syscall.Errno = 15030
)

Event log error codes. https://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx

Variables

View Source
var (
	// ErrorEvtVarTypeNull is an error that means the content of the EVT_VARIANT
	// data is null.
	ErrorEvtVarTypeNull = errors.New("Null EVT_VARIANT data")
)

Errors

Functions

func Channels

func Channels() ([]string, error)

Channels returns a list of channels that are registered on the computer.

func Close

func Close(h EvtHandle) error

Close closes an EvtHandle.

func FormatEventString

func FormatEventString(
	messageFlag EvtFormatMessageFlag,
	eventHandle EvtHandle,
	publisher string,
	publisherHandle EvtHandle,
	lang uint32,
	buffer []byte,
) ([]string, error)

FormatEventString formats part of the event as a string. messageFlag determines what part of the event is formatted as as string. eventHandle is the handle to the event. publisher is the name of the event's publisher. publisherHandle is a handle to the publisher's metadata as provided by EvtOpenPublisherMetadata. lang is the language ID. buffer is optional and if not provided it will be allocated. If the provided buffer is not large enough then an InsufficientBufferError will be returned.

func IsAvailable

func IsAvailable() (bool, error)

IsAvailable returns true if the Windows Event Log API is supported by this operating system. If not supported then false is returned with the accompanying error.

func StringFromGUID

func StringFromGUID(guid *syscall.GUID) (string, error)

StringFromGUID returns a displayable GUID string from the GUID struct.

Types

type Event

type Event struct {
	// System context properties.
	ProviderName      string            `json:",omitempty"`
	ProviderGUID      string            `json:",omitempty"`
	EventID           uint16            `json:",omitempty"`
	Qualifiers        uint16            `json:",omitempty"`
	TimeCreated       *time.Time        `json:",omitempty"`
	RecordID          uint64            `json:",omitempty"`
	ActivityID        string            `json:",omitempty"`
	RelatedActivityID string            `json:",omitempty"`
	ProcessID         uint32            `json:",omitempty"`
	ThreadID          uint32            `json:",omitempty"`
	Channel           string            `json:",omitempty"`
	Computer          string            `json:",omitempty"`
	UserSID           *eventlogging.SID `json:",omitempty"`
	Version           uint8             `json:",omitempty"`

	Message    string `json:",omitempty"`
	MessageErr error

	Level    string `json:",omitempty"`
	LevelErr error

	Task    string `json:",omitempty"`
	TaskErr error

	Opcode    string `json:",omitempty"`
	OpcodeErr error

	Keywords      []string `json:",omitempty"`
	KeywordsError error
}

Event holds the data from the a log record.

func RenderEvent

func RenderEvent(
	eventHandle EvtHandle,
	systemContext EvtHandle,
	lang uint32,
	renderBuf []byte,
	pubHandleProvider func(string) uintptr,
) (Event, error)

RenderEvent reads the event data associated with the EvtHandle and renders the data so that it can used.

type EvtFormatMessageFlag

type EvtFormatMessageFlag uint32

EvtFormatMessageFlag defines the values that specify the message string from the event to format.

const (
	// Format the event's message string.
	EvtFormatMessageEvent EvtFormatMessageFlag = iota + 1
	// Format the message string of the level specified in the event.
	EvtFormatMessageLevel
	// Format the message string of the task specified in the event.
	EvtFormatMessageTask
	// Format the message string of the task specified in the event.
	EvtFormatMessageOpcode
	// Format the message string of the keywords specified in the event. If the
	// event specifies multiple keywords, the formatted string is a list of
	// null-terminated strings. Increment through the strings until your pointer
	// points past the end of the used buffer.
	EvtFormatMessageKeyword
	// Format the message string of the channel specified in the event.
	EvtFormatMessageChannel
	// Format the provider's message string.
	EvtFormatMessageProvider
	// Format the message string associated with a resource identifier. The
	// provider's metadata contains the resource identifiers; the message
	// compiler assigns a resource identifier to each string when it compiles
	// the manifest.
	EvtFormatMessageId
	// Format all the message strings in the event. The formatted message is an
	// XML string that contains the event details and the message strings.
	EvtFormatMessageXml
)

EVT_FORMAT_MESSAGE_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385525(v=vs.85).aspx

type EvtHandle

type EvtHandle uintptr

EvtHandle is a handle to the event log.

func CreateBookmark

func CreateBookmark(channel string, recordID uint64) (EvtHandle, error)

CreateBookmark creates a new handle to a bookmark. Close must be called on returned EvtHandle when finished with the handle.

func EventHandles

func EventHandles(subscription EvtHandle, maxHandles int) ([]EvtHandle, error)

EventHandles reads the event handles from a subscription. It attempt to read at most maxHandles. ErrorNoMoreHandles is returned when there are no more handles available to return. Close must be called on each returned EvtHandle when finished with the handle.

func OpenPublisherMetadata

func OpenPublisherMetadata(
	session EvtHandle,
	publisherName string,
	lang uint32,
) (EvtHandle, error)

OpenPublisherMetadata opens a handle to the publisher's metadata. Close must be called on returned EvtHandle when finished with the handle.

func Subscribe

func Subscribe(
	session EvtHandle,
	event windows.Handle,
	channelPath string,
	query string,
	bookmark EvtHandle,
	flags EvtSubscribeFlag,
) (EvtHandle, error)

Subscribe creates a new subscription to an event log channel.

type EvtRenderContextFlag

type EvtRenderContextFlag uint32

EvtRenderContextFlag defines the values that specify the type of information to access from the event.

const (
	// Render specific properties from the event.
	EvtRenderContextValues EvtRenderContextFlag = iota
	// Render the system properties under the System element.
	EvtRenderContextSystem
	// Render all user-defined properties under the UserData or EventData element.
	EvtRenderContextUser
)

EVT_RENDER_CONTEXT_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385561(v=vs.85).aspx

type EvtRenderFlag

type EvtRenderFlag uint32

EvtRenderFlag defines the values that specify what to render.

const (
	// Render the event properties specified in the rendering context.
	EvtRenderEventValues EvtRenderFlag = iota
	// Render the event as an XML string. For details on the contents of the
	// XML string, see the Event schema.
	EvtRenderEventXml
	// Render the bookmark as an XML string, so that you can easily persist the
	// bookmark for use later.
	EvtRenderBookmark
)

EVT_RENDER_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385563(v=vs.85).aspx

type EvtSubscribeFlag

type EvtSubscribeFlag uint32

EvtSubscribeFlag defines the possible values that specify when to start subscribing to events.

const (
	EvtSubscribeToFutureEvents      EvtSubscribeFlag = 1
	EvtSubscribeStartAtOldestRecord EvtSubscribeFlag = 2
	EvtSubscribeStartAfterBookmark  EvtSubscribeFlag = 3
	EvtSubscribeOriginMask          EvtSubscribeFlag = 0x3
	EvtSubscribeTolerateQueryErrors EvtSubscribeFlag = 0x1000
	EvtSubscribeStrict              EvtSubscribeFlag = 0x10000
)

EVT_SUBSCRIBE_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385588(v=vs.85).aspx

type EvtSystemPropertyID

type EvtSystemPropertyID uint32

EvtSystemPropertyID defines the identifiers that identify the system-specific properties of an event.

const (
	// Identifies the Name attribute of the provider element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemProviderName EvtSystemPropertyID = iota
	// Identifies the Guid attribute of the provider element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemProviderGuid
	// Identifies the EventID element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemEventID
	// Identifies the Qualifiers attribute of the EventID element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemQualifiers
	// Identifies the Level element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemLevel
	// Identifies the Task element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemTask
	// Identifies the Opcode element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemOpcode
	// Identifies the Keywords element.
	// The variant type for this property is EvtVarTypeInt64.
	EvtSystemKeywords
	// Identifies the SystemTime attribute of the TimeCreated element.
	// The variant type for this property is EvtVarTypeFileTime.
	EvtSystemTimeCreated
	// Identifies the EventRecordID element.
	// The variant type for this property is EvtVarTypeUInt64.
	EvtSystemEventRecordId
	// Identifies the ActivityID attribute of the Correlation element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemActivityID
	// Identifies the RelatedActivityID attribute of the Correlation element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemRelatedActivityID
	// Identifies the ProcessID attribute of the Execution element.
	// The variant type for this property is EvtVarTypeUInt32.
	EvtSystemProcessID
	// Identifies the ThreadID attribute of the Execution element.
	// The variant type for this property is EvtVarTypeUInt32.
	EvtSystemThreadID
	// Identifies the Channel element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemChannel
	// Identifies the Computer element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemComputer
	// Identifies the UserID element.
	// The variant type for this property is EvtVarTypeSid.
	EvtSystemUserID
	// Identifies the Version element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemVersion
	// This enumeration value marks the end of the enumeration values.
	EvtSystemPropertyIdEND
)

EVT_SYSTEM_PROPERTY_ID enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385606(v=vs.85).aspx

func (EvtSystemPropertyID) String

func (e EvtSystemPropertyID) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL