Beispiel #1
0
func (l *winEventLog) buildRecordFromXML(x string, recoveredErr error) (Record, error) {
	e, err := sys.UnmarshalEventXML([]byte(x))
	if err != nil {
		return Record{}, fmt.Errorf("Failed to unmarshal XML='%s'. %v", x, err)
	}

	err = sys.PopulateAccount(&e.User)
	if err != nil {
		debugf("%s SID %s account lookup failed. %v", l.logPrefix,
			e.User.Identifier, err)
	}

	if e.RenderErrorCode != 0 {
		// Convert the render error code to an error message that can be
		// included in the "message_error" field.
		e.RenderErr = syscall.Errno(e.RenderErrorCode).Error()
	} else if recoveredErr != nil {
		e.RenderErr = recoveredErr.Error()
	}

	if logp.IsDebug(detailSelector) {
		detailf("%s XML=%s Event=%+v", l.logPrefix, x, e)
	}

	r := Record{
		API:           winEventLogAPIName,
		EventMetadata: l.eventMetadata,
		Event:         e,
	}

	if l.config.IncludeXML {
		r.XML = x
	}

	return r, nil
}
Beispiel #2
0
func (l *eventLogging) Read() ([]Record, error) {
	flags := win.EVENTLOG_SEQUENTIAL_READ | win.EVENTLOG_FORWARDS_READ
	if l.seek {
		flags = win.EVENTLOG_SEEK_READ | win.EVENTLOG_FORWARDS_READ
		l.seek = false
	}

	var numBytesRead int
	err := retry(
		func() error {
			l.readBuf = l.readBuf[0:cap(l.readBuf)]
			// TODO: Use number of bytes to grow the buffer size as needed.
			var err error
			numBytesRead, err = win.ReadEventLog(
				l.handle,
				flags,
				l.recordNumber,
				l.readBuf)
			return err
		},
		l.readRetryErrorHandler)
	if err != nil {
		debugf("%s ReadEventLog returned error %v", l.logPrefix, err)
		return readErrorHandler(err)
	}
	detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead)

	l.readBuf = l.readBuf[0:numBytesRead]
	events, _, err := win.RenderEvents(
		l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get)
	if err != nil {
		return nil, err
	}
	detailf("%s RenderEvents returned %d events", l.logPrefix, len(events))

	records := make([]Record, 0, len(events))
	for _, e := range events {
		// The events do not contain the name of the event log so we must add
		// the name of the log from which we are reading.
		e.Channel = l.name

		err = sys.PopulateAccount(&e.User)
		if err != nil {
			debugf("%s SID %s account lookup failed. %v", l.logPrefix,
				e.User.Identifier, err)
		}

		records = append(records, Record{
			API:           eventLoggingAPIName,
			EventMetadata: l.eventMetadata,
			Event:         e,
		})
	}

	if l.ignoreFirst && len(records) > 0 {
		debugf("%s Ignoring first event with record ID %d", l.logPrefix,
			records[0].RecordID)
		records = records[1:]
		l.ignoreFirst = false
	}

	records = filter(records, l.ignoreOlder)
	debugf("%s Read() is returning %d records", l.logPrefix, len(records))
	return records, nil
}