// ToMapStr returns a new MapStr containing the data from this Record. func (e Record) ToMapStr() common.MapStr { m := common.MapStr{ "type": e.API, common.EventMetadataKey: e.EventMetadata, "@timestamp": common.Time(e.TimeCreated.SystemTime), "log_name": e.Channel, "source_name": e.Provider.Name, "computer_name": e.Computer, "record_number": strconv.FormatUint(e.RecordID, 10), "event_id": e.EventIdentifier.ID, } addOptional(m, "xml", e.XML) addOptional(m, "provider_guid", e.Provider.GUID) addOptional(m, "version", e.Version) addOptional(m, "level", e.Level) addOptional(m, "task", e.Task) addOptional(m, "opcode", e.Opcode) addOptional(m, "keywords", e.Keywords) addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message)) addOptional(m, "message_error", e.RenderErr) // Correlation addOptional(m, "activity_id", e.Correlation.ActivityID) addOptional(m, "related_activity_id", e.Correlation.RelatedActivityID) // Execution addOptional(m, "process_id", e.Execution.ProcessID) addOptional(m, "thread_id", e.Execution.ThreadID) addOptional(m, "processor_id", e.Execution.ProcessorID) addOptional(m, "session_id", e.Execution.SessionID) addOptional(m, "kernel_time", e.Execution.KernelTime) addOptional(m, "user_time", e.Execution.UserTime) addOptional(m, "processor_time", e.Execution.ProcessorTime) if e.User.Identifier != "" { user := common.MapStr{ "identifier": e.User.Identifier, } m["user"] = user addOptional(user, "name", e.User.Name) addOptional(user, "domain", e.User.Domain) addOptional(user, "type", e.User.Type.String()) } addPairs(m, "event_data", e.EventData.Pairs) userData := addPairs(m, "user_data", e.UserData.Pairs) addOptional(userData, "xml_name", e.UserData.Name.Local) return m }
// addPairs adds a new dictionary to the given MapStr. The key/value pairs are // added to the new dictionary. If any keys are duplicates, the first key/value // pair is added and the remaining duplicates are dropped. // // The new dictionary is added to the given MapStr and it is also returned for // convenience purposes. func addPairs(m common.MapStr, key string, pairs []sys.KeyValue) common.MapStr { if len(pairs) == 0 { return nil } h := make(common.MapStr, len(pairs)) for i, kv := range pairs { // Ignore empty values. if kv.Value == "" { continue } // If the key name is empty or if it the default of "Data" then // assign a generic name of paramN. k := kv.Key if k == "" || k == "Data" { k = fmt.Sprintf("param%d", i+1) } // Do not overwrite. _, exists := h[k] if !exists { h[k] = sys.RemoveWindowsLineEndings(kv.Value) } else { debugf("Droping key/value (k=%s, v=%s) pair because key already "+ "exists. event=%+v", k, kv.Value, m) } } if len(h) == 0 { return nil } m[key] = h return h }