Documentation ¶
Overview ¶
Package sys provides common data structures and utilties functions that are used by the subpackages for interfacing with the system level APIs to collect event log records from Windows.
Index ¶
- Variables
- func PopulateAccount(sid *SID) error
- func RemoveWindowsLineEndings(s string) string
- func UTF16BytesToString(b []byte) (string, int, error)
- func UTF16ToUTF8Bytes(in []byte, out io.Writer) error
- type ByteBuffer
- type Correlation
- type Event
- type EventData
- type EventIdentifier
- type Execution
- type FileHandle
- type InsufficientBufferError
- type KeyValue
- type MessageFiles
- type Provider
- type SID
- type SIDType
- type TimeCreated
- type UserData
Constants ¶
This section is empty.
Variables ¶
var ErrBufferTooSmall = errors.New("buffer too small")
Functions ¶
func PopulateAccount ¶
PopulateAccount lookups the account name and type associated with a SID. The account name, domain, and type are added to the given sid.
func RemoveWindowsLineEndings ¶
RemoveWindowsLineEndings replaces carriage return line feed (CRLF) with line feed (LF) and trims any newline character that may exist at the end of the string.
func UTF16BytesToString ¶
UTF16BytesToString returns a string that is decoded from the UTF-16 bytes. The byte slice must be of even length otherwise an error will be returned. The integer returned is the offset to the start of the next string with buffer if it exists, otherwise -1 is returned.
Types ¶
type ByteBuffer ¶
type ByteBuffer struct {
// contains filtered or unexported fields
}
ByteBuffer is an expandable buffer backed by a byte slice.
func NewByteBuffer ¶
func NewByteBuffer(initialSize int) *ByteBuffer
NewByteBuffer creates a new ByteBuffer with an initial capacity of initialSize.
func (*ByteBuffer) Bytes ¶
func (b *ByteBuffer) Bytes() []byte
Bytes returns a slice of length b.Len() holding the bytes that have been written to the buffer.
func (*ByteBuffer) Len ¶
func (b *ByteBuffer) Len() int
Len returns the number of bytes that have been written to the buffer.
func (*ByteBuffer) Reset ¶
func (b *ByteBuffer) Reset()
Reset resets the buffer to be empty. It retains the same underlying storage.
type Correlation ¶
type Correlation struct { ActivityID string `xml:"ActivityID,attr"` RelatedActivityID string `xml:"RelatedActivityID,attr"` }
Correlation contains activity identifiers that consumers can use to group related events together.
type Event ¶
type Event struct { // System Provider Provider `xml:"System>Provider"` EventIdentifier EventIdentifier `xml:"System>EventID"` Version uint8 `xml:"System>Version"` LevelRaw uint8 `xml:"System>Level"` TaskRaw uint16 `xml:"System>Task"` OpcodeRaw uint8 `xml:"System>Opcode"` TimeCreated TimeCreated `xml:"System>TimeCreated"` RecordID uint64 `xml:"System>EventRecordID"` Correlation Correlation `xml:"System>Correlation"` Execution Execution `xml:"System>Execution"` Channel string `xml:"System>Channel"` Computer string `xml:"System>Computer"` User SID `xml:"System>Security"` EventData EventData `xml:"EventData"` UserData UserData `xml:"UserData"` // RenderingInfo Message string `xml:"RenderingInfo>Message"` Level string `xml:"RenderingInfo>Level"` Task string `xml:"RenderingInfo>Task"` Opcode string `xml:"RenderingInfo>Opcode"` Keywords []string `xml:"RenderingInfo>Keywords>Keyword"` // ProcessingErrorData RenderErrorCode uint32 `xml:"ProcessingErrorData>ErrorCode"` RenderErrorDataItemName string `xml:"ProcessingErrorData>DataItemName"` RenderErr string }
Event holds the data from a log record.
func UnmarshalEventXML ¶
UnmarshalEventXML unmarshals the given XML into a new Event.
type EventData ¶
type EventData struct {
Pairs []KeyValue `xml:",any"`
}
EventData contains the event data. The EventData section is used if the message provider template does not contain a UserData section.
type EventIdentifier ¶
type EventIdentifier struct { Qualifiers uint16 `xml:"Qualifiers,attr"` ID uint32 `xml:",chardata"` }
EventIdentifier is the identifer that the provider uses to identify a specific event type.
type Execution ¶
type Execution struct { ProcessID uint32 `xml:"ProcessID,attr"` ThreadID uint32 `xml:"ThreadID,attr"` // Only available for events logged to an event tracing log file (.etl file). ProcessorID uint32 `xml:"ProcessorID,attr"` SessionID uint32 `xml:"SessionID,attr"` KernelTime uint32 `xml:"KernelTime,attr"` UserTime uint32 `xml:"UserTime,attr"` ProcessorTime uint32 `xml:"ProcessorTime,attr"` }
Execution contains information about the process and thread that logged the event.
type FileHandle ¶
type FileHandle struct { File string // Fully-qualified path to the event message file. Handle uintptr // Handle to the loaded event message file. Err error // Error that occurred while loading Handle. }
FileHandle contains the handle to a single Windows message file.
type InsufficientBufferError ¶
type InsufficientBufferError struct { Cause error RequiredSize int // Size of the buffer that is required. }
InsufficientBufferError indicates the buffer passed to a system call is too small.
func (InsufficientBufferError) Error ¶
func (e InsufficientBufferError) Error() string
Error returns the cause of the insufficient buffer error.
type KeyValue ¶
KeyValue is a key value pair of strings.
func (*KeyValue) UnmarshalXML ¶
UnmarshalXML unmarshals an arbitrary XML element into a KeyValue. The key becomes the name of the element or value of the Name attribute if it exists. The value is the character data contained within the element.
type MessageFiles ¶
type MessageFiles struct { SourceName string Err error Handles []FileHandle }
MessageFiles contains handles to event message files associated with an event log source.
type Provider ¶
type Provider struct { Name string `xml:"Name,attr"` GUID string `xml:"Guid,attr"` EventSourceName string `xml:"EventSourceName,attr"` }
Provider identifies the provider that logged the event. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
type SIDType ¶
type SIDType uint32
SIDType identifies the type of a security identifier (SID).
type TimeCreated ¶
TimeCreated contains the system time of when the event was logged.
func (*TimeCreated) UnmarshalXML ¶
func (t *TimeCreated) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error
UnmarshalXML unmarshals an XML dataTime string.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package eventlogging provides access to the Event Logging API that was designed for applications that run on the Windows Server 2003, Windows XP, or Windows 2000 operating system.
|
Package eventlogging provides access to the Event Logging API that was designed for applications that run on the Windows Server 2003, Windows XP, or Windows 2000 operating system. |
Package wineventlog provides access to the Windows Event Log API used in all versions of Windows since Vista (i.e.
|
Package wineventlog provides access to the Windows Event Log API used in all versions of Windows since Vista (i.e. |