func (l *winEventLog) Read() ([]Record, error) {
handles, err := sys.EventHandles(l.subscription, l.maxRead)
if err == sys.ERROR_NO_MORE_ITEMS {
detailf("%s No more events", l.logPrefix)
return nil, nil
}
if err != nil {
logp.Warn("%s EventHandles returned error %v Errno: %d", l.logPrefix, err)
return nil, err
}
defer func() {
for _, h := range handles {
sys.Close(h)
}
}()
detailf("%s EventHandles returned %d handles", l.logPrefix, len(handles))
var records []Record
for _, h := range handles {
e, err := sys.RenderEvent(h, l.systemCtx, 0, l.renderBuf, l.cache.get)
if err != nil {
logp.Err("%s Dropping event with rendering error. %v", l.logPrefix, err)
continue
}
r := Record{
API: winEventLogAPIName,
EventLogName: e.Channel,
SourceName: e.ProviderName,
ComputerName: e.Computer,
RecordNumber: e.RecordID,
EventID: uint32(e.EventID),
Level: e.Level,
Category: e.Task,
Message: e.Message,
MessageErr: e.MessageErr,
EventMetadata: l.eventMetadata,
}
if e.TimeCreated != nil {
r.TimeGenerated = *e.TimeCreated
}
if e.UserSID != nil {
r.User = &User{
Identifier: e.UserSID.Identifier,
Name: e.UserSID.Name,
Domain: e.UserSID.Domain,
Type: e.UserSID.Type.String(),
}
}
records = append(records, r)
}
debugf("%s Read() is returning %d records", l.logPrefix, len(records))
return records, nil
}
func (l *winEventLog) Read() ([]Record, error) {
handles, err := win.EventHandles(l.subscription, l.maxRead)
if err == win.ERROR_NO_MORE_ITEMS {
detailf("%s No more events", l.logPrefix)
return nil, nil
}
if err != nil {
logp.Warn("%s EventHandles returned error %v Errno: %d", l.logPrefix, err)
return nil, err
}
defer func() {
for _, h := range handles {
win.Close(h)
}
}()
detailf("%s EventHandles returned %d handles", l.logPrefix, len(handles))
var records []Record
for _, h := range handles {
x, err := win.RenderEvent(h, 0, l.renderBuf, l.cache.get)
if bufErr, ok := err.(sys.InsufficientBufferError); ok {
detailf("%s Increasing render buffer size to %d", l.logPrefix,
bufErr.RequiredSize)
l.renderBuf = make([]byte, bufErr.RequiredSize)
x, err = win.RenderEvent(h, 0, l.renderBuf, l.cache.get)
}
if err != nil && x == "" {
logp.Err("%s Dropping event with rendering error. %v", l.logPrefix, err)
reportDrop(err)
continue
}
r, err := l.buildRecordFromXML(x, err)
if err != nil {
logp.Err("%s Dropping event. %v", l.logPrefix, err)
reportDrop("unmarshal")
continue
}
records = append(records, r)
}
debugf("%s Read() is returning %d records", l.logPrefix, len(records))
return records, nil
}
func (l *eventLog) Read() ([]eventlog.LogRecord, error) {
var events []eventlog.LogRecord
for {
handles, err := sys.EventHandles(l.subscription, l.maxRead)
if err == sys.ERROR_NO_MORE_ITEMS {
detailf("%s No more events", l.logPrefix)
break
}
if err != nil {
errno, _ := err.(syscall.Errno)
logp.Warn("%s Failed to read event handles. %v %v", l.logPrefix,
err, uint32(errno))
return nil, err
}
detailf("%s EventHandles returned %d events", l.logPrefix, len(handles))
for _, h := range handles {
evt, _, err := sys.RenderEvent(h, sys.NullEvtHandle, 0, l.renderBuf, nil)
if err != nil {
logp.Err("%s Error rendering event. %v", l.logPrefix, err)
continue
}
events = append(events, eventlog.LogRecord{
EventLogName: evt.Channel,
SourceName: evt.ProviderName,
ComputerName: evt.Computer,
RecordNumber: evt.RecordID,
EventID: uint32(evt.EventID),
EventType: evt.Level, // convert
EventCategory: evt.Task,
TimeGenerated: *evt.TimeCreated,
UserSID: evt.UserSID,
Message: evt.Message,
})
}
}
return events, nil
}
// newWinEventLog creates and returns a new EventLog for reading event logs
// using the Windows Event Log.
func newWinEventLog(options map[string]interface{}) (EventLog, error) {
c := defaultWinEventLogConfig
if err := readConfig(options, &c, winEventLogConfigKeys); err != nil {
return nil, err
}
query, err := win.Query{
Log: c.Name,
IgnoreOlder: c.SimpleQuery.IgnoreOlder,
Level: c.SimpleQuery.Level,
EventID: c.SimpleQuery.EventID,
Provider: c.SimpleQuery.Provider,
}.Build()
if err != nil {
return nil, err
}
eventMetadataHandle := func(providerName, sourceName string) sys.MessageFiles {
mf := sys.MessageFiles{SourceName: sourceName}
h, err := win.OpenPublisherMetadata(0, sourceName, 0)
if err != nil {
mf.Err = err
return mf
}
mf.Handles = []sys.FileHandle{{Handle: uintptr(h)}}
return mf
}
freeHandle := func(handle uintptr) error {
return win.Close(win.EvtHandle(handle))
}
l := &winEventLog{
config: c,
query: query,
channelName: c.Name,
maxRead: c.BatchReadSize,
renderBuf: make([]byte, renderBufferSize),
cache: newMessageFilesCache(c.Name, eventMetadataHandle, freeHandle),
logPrefix: fmt.Sprintf("WinEventLog[%s]", c.Name),
eventMetadata: c.EventMetadata,
}
// Forwarded events should be rendered using RenderEventXML. It is more
// efficient and does not attempt to use local message files for rendering
// the event's message.
switch {
case c.Forwarded == nil && c.Name == "ForwardedEvents",
c.Forwarded != nil && *c.Forwarded == true:
l.render = func(event win.EvtHandle) (string, error) {
return win.RenderEventXML(event, l.renderBuf)
}
default:
l.render = func(event win.EvtHandle) (string, error) {
return win.RenderEvent(event, 0, l.renderBuf, l.cache.get)
}
}
return l, nil
}