wineventlog

package
v6.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 7, 2017 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package wineventlog provides access to the Windows Event Log API used in all versions of Windows since Vista (i.e. Windows 7+ and Windows Server 2008+). This is distinct from the Event Logging API that was used in Windows XP, Windows Server 2003, and Windows 2000.

Index

Examples

Constants

View Source 
const (
	ERROR_INSUFFICIENT_BUFFER             syscall.Errno = 122
	ERROR_NO_MORE_ITEMS                   syscall.Errno = 259
	ERROR_NONE_MAPPED                     syscall.Errno = 1332
	RPC_S_INVALID_BOUND                   syscall.Errno = 1734
	ERROR_INVALID_OPERATION               syscall.Errno = 4317
	ERROR_EVT_MESSAGE_NOT_FOUND           syscall.Errno = 15027
	ERROR_EVT_MESSAGE_ID_NOT_FOUND        syscall.Errno = 15028
	ERROR_EVT_UNRESOLVED_VALUE_INSERT     syscall.Errno = 15029
	ERROR_EVT_UNRESOLVED_PARAMETER_INSERT syscall.Errno = 15030
)

Event log error codes. https://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx

Variables

View Source 
var (
	// ErrorEvtVarTypeNull is an error that means the content of the EVT_VARIANT
	// data is null.
	ErrorEvtVarTypeNull = errors.New("Null EVT_VARIANT data")
)

Errors

View Source 
var EventLevelToString = map[EventLevel]string{
	EVENTLOG_LOGALWAYS_LEVEL:   "Information",
	EVENTLOG_INFORMATION_LEVEL: "Information",
	EVENTLOG_CRITICAL_LEVEL:    "Critical",
	EVENTLOG_ERROR_LEVEL:       "Error",
	EVENTLOG_WARNING_LEVEL:     "Warning",
	EVENTLOG_VERBOSE_LEVEL:     "Verbose",
}

Mapping of event levels to their string representations.

Functions

func Channels 

func Channels() ([]string, error)

Channels returns a list of channels that are registered on the computer.

func Close 

func Close(h EvtHandle) error

Close closes an EvtHandle.

func FormatEventString 

func FormatEventString(
	messageFlag EvtFormatMessageFlag,
	eventHandle EvtHandle,
	publisher string,
	publisherHandle EvtHandle,
	lang uint32,
	buffer []byte,
	out io.Writer,
) error

FormatEventString formats part of the event as a string. messageFlag determines what part of the event is formatted as as string. eventHandle is the handle to the event. publisher is the name of the event's publisher. publisherHandle is a handle to the publisher's metadata as provided by EvtOpenPublisherMetadata. lang is the language ID. buffer is optional and if not provided it will be allocated. If the provided buffer is not large enough then an InsufficientBufferError will be returned.

func IsAvailable 

func IsAvailable() (bool, error)

IsAvailable returns true if the Windows Event Log API is supported by this operating system. If not supported then false is returned with the accompanying error.

func RenderEvent 

func RenderEvent(
	eventHandle EvtHandle,
	lang uint32,
	renderBuf []byte,
	pubHandleProvider func(string) sys.MessageFiles,
	out io.Writer,
) error

RenderEvent reads the event data associated with the EvtHandle and renders the data as XML. An error and XML can be returned by this method if an error occurs while rendering the XML with RenderingInfo and the method is able to recover by rendering the XML without RenderingInfo.

func RenderEventXML 

func RenderEventXML(eventHandle EvtHandle, renderBuf []byte, out io.Writer) error

RenderEventXML renders the event as XML. If the event is already rendered, as in a forwarded event whose content type is "RenderedText", then the XML will include the RenderingInfo (message). If the event is not rendered then the XML will not include the message, and in this case RenderEvent should be used.

Types

type EventLevel 

type EventLevel uint16

EventLevel identifies the six levels of events that can be logged 

const (
	// Do not reorder.
	EVENTLOG_LOGALWAYS_LEVEL EventLevel = iota
	EVENTLOG_CRITICAL_LEVEL
	EVENTLOG_ERROR_LEVEL
	EVENTLOG_WARNING_LEVEL
	EVENTLOG_INFORMATION_LEVEL
	EVENTLOG_VERBOSE_LEVEL
)

EventLevel values.

func (EventLevel) String 

func (et EventLevel) String() string

String returns string representation of EventLevel.

type EvtFormatMessageFlag 

type EvtFormatMessageFlag uint32

EvtFormatMessageFlag defines the values that specify the message string from the event to format. 

const (
	// Format the event's message string.
	EvtFormatMessageEvent EvtFormatMessageFlag = iota + 1
	// Format the message string of the level specified in the event.
	EvtFormatMessageLevel
	// Format the message string of the task specified in the event.
	EvtFormatMessageTask
	// Format the message string of the task specified in the event.
	EvtFormatMessageOpcode
	// Format the message string of the keywords specified in the event. If the
	// event specifies multiple keywords, the formatted string is a list of
	// null-terminated strings. Increment through the strings until your pointer
	// points past the end of the used buffer.
	EvtFormatMessageKeyword
	// Format the message string of the channel specified in the event.
	EvtFormatMessageChannel
	// Format the provider's message string.
	EvtFormatMessageProvider
	// Format the message string associated with a resource identifier. The
	// provider's metadata contains the resource identifiers; the message
	// compiler assigns a resource identifier to each string when it compiles
	// the manifest.
	EvtFormatMessageId
	// Format all the message strings in the event. The formatted message is an
	// XML string that contains the event details and the message strings.
	EvtFormatMessageXml
)

EVT_FORMAT_MESSAGE_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385525(v=vs.85).aspx

type EvtHandle 

type EvtHandle uintptr

EvtHandle is a handle to the event log.

func CreateBookmark 

func CreateBookmark(channel string, recordID uint64) (EvtHandle, error)

CreateBookmark creates a new handle to a bookmark. Close must be called on returned EvtHandle when finished with the handle.

func CreateRenderContext 

func CreateRenderContext(valuePaths []string, flag EvtRenderContextFlag) (EvtHandle, error)

CreateRenderContext creates a render context. Close must be called on returned EvtHandle when finished with the handle.

func EventHandles 

func EventHandles(subscription EvtHandle, maxHandles int) ([]EvtHandle, error)

EventHandles reads the event handles from a subscription. It attempt to read at most maxHandles. ErrorNoMoreHandles is returned when there are no more handles available to return. Close must be called on each returned EvtHandle when finished with the handle.

func OpenPublisherMetadata 

func OpenPublisherMetadata(
	session EvtHandle,
	publisherName string,
	lang uint32,
) (EvtHandle, error)

OpenPublisherMetadata opens a handle to the publisher's metadata. Close must be called on returned EvtHandle when finished with the handle.

func Subscribe 

func Subscribe(
	session EvtHandle,
	event windows.Handle,
	channelPath string,
	query string,
	bookmark EvtHandle,
	flags EvtSubscribeFlag,
) (EvtHandle, error)

Subscribe creates a new subscription to an event log channel.

type EvtRenderContextFlag 

type EvtRenderContextFlag uint32

EvtRenderContextFlag defines the values that specify the type of information to access from the event. 

const (
	// Render specific properties from the event.
	EvtRenderContextValues EvtRenderContextFlag = iota
	// Render the system properties under the System element.
	EvtRenderContextSystem
	// Render all user-defined properties under the UserData or EventData element.
	EvtRenderContextUser
)

EVT_RENDER_CONTEXT_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385561(v=vs.85).aspx

type EvtRenderFlag 

type EvtRenderFlag uint32

EvtRenderFlag defines the values that specify what to render. 

const (
	// Render the event properties specified in the rendering context.
	EvtRenderEventValues EvtRenderFlag = iota
	// Render the event as an XML string. For details on the contents of the
	// XML string, see the Event schema.
	EvtRenderEventXml
	// Render the bookmark as an XML string, so that you can easily persist the
	// bookmark for use later.
	EvtRenderBookmark
)

EVT_RENDER_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385563(v=vs.85).aspx

type EvtSubscribeFlag 

type EvtSubscribeFlag uint32

EvtSubscribeFlag defines the possible values that specify when to start subscribing to events. 

const (
	EvtSubscribeToFutureEvents      EvtSubscribeFlag = 1
	EvtSubscribeStartAtOldestRecord EvtSubscribeFlag = 2
	EvtSubscribeStartAfterBookmark  EvtSubscribeFlag = 3
	EvtSubscribeOriginMask          EvtSubscribeFlag = 0x3
	EvtSubscribeTolerateQueryErrors EvtSubscribeFlag = 0x1000
	EvtSubscribeStrict              EvtSubscribeFlag = 0x10000
)

EVT_SUBSCRIBE_FLAGS enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385588(v=vs.85).aspx

type EvtSystemPropertyID 

type EvtSystemPropertyID uint32

EvtSystemPropertyID defines the identifiers that identify the system-specific properties of an event. 

const (
	// Identifies the Name attribute of the provider element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemProviderName EvtSystemPropertyID = iota
	// Identifies the Guid attribute of the provider element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemProviderGuid
	// Identifies the EventID element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemEventID
	// Identifies the Qualifiers attribute of the EventID element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemQualifiers
	// Identifies the Level element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemLevel
	// Identifies the Task element.
	// The variant type for this property is EvtVarTypeUInt16.
	EvtSystemTask
	// Identifies the Opcode element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemOpcode
	// Identifies the Keywords element.
	// The variant type for this property is EvtVarTypeInt64.
	EvtSystemKeywords
	// Identifies the SystemTime attribute of the TimeCreated element.
	// The variant type for this property is EvtVarTypeFileTime.
	EvtSystemTimeCreated
	// Identifies the EventRecordID element.
	// The variant type for this property is EvtVarTypeUInt64.
	EvtSystemEventRecordId
	// Identifies the ActivityID attribute of the Correlation element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemActivityID
	// Identifies the RelatedActivityID attribute of the Correlation element.
	// The variant type for this property is EvtVarTypeGuid.
	EvtSystemRelatedActivityID
	// Identifies the ProcessID attribute of the Execution element.
	// The variant type for this property is EvtVarTypeUInt32.
	EvtSystemProcessID
	// Identifies the ThreadID attribute of the Execution element.
	// The variant type for this property is EvtVarTypeUInt32.
	EvtSystemThreadID
	// Identifies the Channel element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemChannel
	// Identifies the Computer element.
	// The variant type for this property is EvtVarTypeString.
	EvtSystemComputer
	// Identifies the UserID element.
	// The variant type for this property is EvtVarTypeSid.
	EvtSystemUserID
	// Identifies the Version element.
	// The variant type for this property is EvtVarTypeUInt8.
	EvtSystemVersion
	// This enumeration value marks the end of the enumeration values.
	EvtSystemPropertyIdEND
)

EVT_SYSTEM_PROPERTY_ID enumeration https://msdn.microsoft.com/en-us/library/windows/desktop/aa385606(v=vs.85).aspx

func (EvtSystemPropertyID) String 

func (e EvtSystemPropertyID) String() string

type Query 

type Query struct {
	// Name of the channel or the path to the log file that contains the events
	// to query.
	Log string

	IgnoreOlder time.Duration // Ignore records older than this time period.

	// Whitelist and blacklist of event IDs. The value is a comma-separated
	// list. The accepted values are single event IDs to include (e.g. 4634), a
	// range of event IDs to include (e.g. 4400-4500), and single event IDs to
	// exclude (e.g. -4410).
	EventID string

	// Level or levels to include. The value is a comma-separated list of levels
	// to include. The accepted levels are verbose (5), information (4),
	// warning (3), error (2), and critical (1).
	Level string

	// Providers (sources) to include records from.
	Provider []string
}

Query that identifies the source of the events and one or more selectors or suppressors.

Example 
q, _ := Query{Log: "System", EventID: "10, 200-500, -311", Level: "info"}.Build()
fmt.Println(q)

Output:

<QueryList>
  <Query Id="0">
    <Select Path="System">*[System[(EventID=10 or (EventID &gt;= 200 and EventID &lt;= 500)) and (Level = 0 or Level = 4)]]</Select>
    <Suppress Path="System">*[System[(EventID=311)]]</Suppress>
  </Query>
</QueryList>

func (Query) Build 

func (q Query) Build() (string, error)

Build builds a query from the given parameters. The query is returned as a XML string and can be used with Subscribe function.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.