// ToMapStr returns a new MapStr containing the data from this Record.
func (e Record) ToMapStr() common.MapStr {
m := common.MapStr{
"type": e.API,
common.EventMetadataKey: e.EventMetadata,
"@timestamp": common.Time(e.TimeCreated.SystemTime),
"log_name": e.Channel,
"source_name": e.Provider.Name,
"computer_name": e.Computer,
"record_number": strconv.FormatUint(e.RecordID, 10),
"event_id": e.EventIdentifier.ID,
}
addOptional(m, "xml", e.XML)
addOptional(m, "provider_guid", e.Provider.GUID)
addOptional(m, "version", e.Version)
addOptional(m, "level", e.Level)
addOptional(m, "task", e.Task)
addOptional(m, "opcode", e.Opcode)
addOptional(m, "keywords", e.Keywords)
addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message))
addOptional(m, "message_error", e.RenderErr)
// Correlation
addOptional(m, "activity_id", e.Correlation.ActivityID)
addOptional(m, "related_activity_id", e.Correlation.RelatedActivityID)
// Execution
addOptional(m, "process_id", e.Execution.ProcessID)
addOptional(m, "thread_id", e.Execution.ThreadID)
addOptional(m, "processor_id", e.Execution.ProcessorID)
addOptional(m, "session_id", e.Execution.SessionID)
addOptional(m, "kernel_time", e.Execution.KernelTime)
addOptional(m, "user_time", e.Execution.UserTime)
addOptional(m, "processor_time", e.Execution.ProcessorTime)
if e.User.Identifier != "" {
user := common.MapStr{
"identifier": e.User.Identifier,
}
m["user"] = user
addOptional(user, "name", e.User.Name)
addOptional(user, "domain", e.User.Domain)
addOptional(user, "type", e.User.Type.String())
}
addPairs(m, "event_data", e.EventData.Pairs)
userData := addPairs(m, "user_data", e.UserData.Pairs)
addOptional(userData, "xml_name", e.UserData.Name.Local)
return m
}
// addPairs adds a new dictionary to the given MapStr. The key/value pairs are
// added to the new dictionary. If any keys are duplicates, the first key/value
// pair is added and the remaining duplicates are dropped.
//
// The new dictionary is added to the given MapStr and it is also returned for
// convenience purposes.
func addPairs(m common.MapStr, key string, pairs []sys.KeyValue) common.MapStr {
if len(pairs) == 0 {
return nil
}
h := make(common.MapStr, len(pairs))
for i, kv := range pairs {
// Ignore empty values.
if kv.Value == "" {
continue
}
// If the key name is empty or if it the default of "Data" then
// assign a generic name of paramN.
k := kv.Key
if k == "" || k == "Data" {
k = fmt.Sprintf("param%d", i+1)
}
// Do not overwrite.
_, exists := h[k]
if !exists {
h[k] = sys.RemoveWindowsLineEndings(kv.Value)
} else {
debugf("Droping key/value (k=%s, v=%s) pair because key already "+
"exists. event=%+v", k, kv.Value, m)
}
}
if len(h) == 0 {
return nil
}
m[key] = h
return h
}
