Beispiel #1
0
func (l *eventLogging) Read() ([]Record, error) {
	flags := sys.EVENTLOG_SEQUENTIAL_READ | sys.EVENTLOG_FORWARDS_READ
	if l.seek {
		flags = sys.EVENTLOG_SEEK_READ | sys.EVENTLOG_FORWARDS_READ
		l.seek = false
	}

	var numBytesRead int
	err := retry(
		func() error {
			l.readBuf = l.readBuf[0:cap(l.readBuf)]
			// TODO: Use number of bytes to grow the buffer size as needed.
			var err error
			numBytesRead, err = sys.ReadEventLog(
				l.handle,
				flags,
				l.recordNumber,
				l.readBuf)
			return err
		},
		l.readRetryErrorHandler)
	if err != nil {
		debugf("%s ReadEventLog returned error %v", l.logPrefix, err)
		return readErrorHandler(err)
	}
	detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead)

	l.readBuf = l.readBuf[0:numBytesRead]
	events, _, err := sys.RenderEvents(
		l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get)
	if err != nil {
		return nil, err
	}
	detailf("%s RenderEvents returned %d events", l.logPrefix, len(events))

	records := make([]Record, 0, len(events))
	for _, e := range events {
		r := Record{
			API:            eventLoggingAPIName,
			EventLogName:   l.name,
			RecordNumber:   uint64(e.RecordID),
			EventID:        e.EventID, // TODO: Subtract out high order bytes (upper 2 bytes)
			Level:          e.Level,
			SourceName:     e.SourceName,
			ComputerName:   e.Computer,
			Category:       e.Category,
			Message:        e.Message,
			MessageInserts: e.MessageInserts,
			MessageErr:     e.MessageErr,
			EventMetadata:  l.eventMetadata,
		}

		if e.TimeGenerated != nil {
			r.TimeGenerated = *e.TimeGenerated
		} else if e.TimeWritten != nil {
			r.TimeGenerated = *e.TimeWritten
		}

		if e.UserSID != nil {
			r.User = &User{
				Identifier: e.UserSID.Identifier,
				Name:       e.UserSID.Name,
				Domain:     e.UserSID.Domain,
				Type:       e.UserSID.Type.String(),
			}
		}

		records = append(records, r)
	}

	if l.ignoreFirst && len(records) > 0 {
		debugf("%s Ignoring first event with record number %d", l.logPrefix,
			records[0].RecordNumber)
		records = records[1:]
		l.ignoreFirst = false
	}

	debugf("%s Read() is returning %d records", l.logPrefix, len(records))
	return records, nil
}
Beispiel #2
0
func (l *eventLogging) Read() ([]Record, error) {
	flags := win.EVENTLOG_SEQUENTIAL_READ | win.EVENTLOG_FORWARDS_READ
	if l.seek {
		flags = win.EVENTLOG_SEEK_READ | win.EVENTLOG_FORWARDS_READ
		l.seek = false
	}

	var numBytesRead int
	err := retry(
		func() error {
			l.readBuf = l.readBuf[0:cap(l.readBuf)]
			// TODO: Use number of bytes to grow the buffer size as needed.
			var err error
			numBytesRead, err = win.ReadEventLog(
				l.handle,
				flags,
				l.recordNumber,
				l.readBuf)
			return err
		},
		l.readRetryErrorHandler)
	if err != nil {
		debugf("%s ReadEventLog returned error %v", l.logPrefix, err)
		return readErrorHandler(err)
	}
	detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead)

	l.readBuf = l.readBuf[0:numBytesRead]
	events, _, err := win.RenderEvents(
		l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get)
	if err != nil {
		return nil, err
	}
	detailf("%s RenderEvents returned %d events", l.logPrefix, len(events))

	records := make([]Record, 0, len(events))
	for _, e := range events {
		// The events do not contain the name of the event log so we must add
		// the name of the log from which we are reading.
		e.Channel = l.name

		err = sys.PopulateAccount(&e.User)
		if err != nil {
			debugf("%s SID %s account lookup failed. %v", l.logPrefix,
				e.User.Identifier, err)
		}

		records = append(records, Record{
			API:           eventLoggingAPIName,
			EventMetadata: l.eventMetadata,
			Event:         e,
		})
	}

	if l.ignoreFirst && len(records) > 0 {
		debugf("%s Ignoring first event with record ID %d", l.logPrefix,
			records[0].RecordID)
		records = records[1:]
		l.ignoreFirst = false
	}

	records = filter(records, l.ignoreOlder)
	debugf("%s Read() is returning %d records", l.logPrefix, len(records))
	return records, nil
}