func (l *eventLogging) Read() ([]Record, error) { flags := sys.EVENTLOG_SEQUENTIAL_READ | sys.EVENTLOG_FORWARDS_READ if l.seek { flags = sys.EVENTLOG_SEEK_READ | sys.EVENTLOG_FORWARDS_READ l.seek = false } var numBytesRead int err := retry( func() error { l.readBuf = l.readBuf[0:cap(l.readBuf)] // TODO: Use number of bytes to grow the buffer size as needed. var err error numBytesRead, err = sys.ReadEventLog( l.handle, flags, l.recordNumber, l.readBuf) return err }, l.readRetryErrorHandler) if err != nil { debugf("%s ReadEventLog returned error %v", l.logPrefix, err) return readErrorHandler(err) } detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead) l.readBuf = l.readBuf[0:numBytesRead] events, _, err := sys.RenderEvents( l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get) if err != nil { return nil, err } detailf("%s RenderEvents returned %d events", l.logPrefix, len(events)) records := make([]Record, 0, len(events)) for _, e := range events { r := Record{ API: eventLoggingAPIName, EventLogName: l.name, RecordNumber: uint64(e.RecordID), EventID: e.EventID, // TODO: Subtract out high order bytes (upper 2 bytes) Level: e.Level, SourceName: e.SourceName, ComputerName: e.Computer, Category: e.Category, Message: e.Message, MessageInserts: e.MessageInserts, MessageErr: e.MessageErr, EventMetadata: l.eventMetadata, } if e.TimeGenerated != nil { r.TimeGenerated = *e.TimeGenerated } else if e.TimeWritten != nil { r.TimeGenerated = *e.TimeWritten } if e.UserSID != nil { r.User = &User{ Identifier: e.UserSID.Identifier, Name: e.UserSID.Name, Domain: e.UserSID.Domain, Type: e.UserSID.Type.String(), } } records = append(records, r) } if l.ignoreFirst && len(records) > 0 { debugf("%s Ignoring first event with record number %d", l.logPrefix, records[0].RecordNumber) records = records[1:] l.ignoreFirst = false } debugf("%s Read() is returning %d records", l.logPrefix, len(records)) return records, nil }
func (l *eventLogging) Read() ([]Record, error) { flags := win.EVENTLOG_SEQUENTIAL_READ | win.EVENTLOG_FORWARDS_READ if l.seek { flags = win.EVENTLOG_SEEK_READ | win.EVENTLOG_FORWARDS_READ l.seek = false } var numBytesRead int err := retry( func() error { l.readBuf = l.readBuf[0:cap(l.readBuf)] // TODO: Use number of bytes to grow the buffer size as needed. var err error numBytesRead, err = win.ReadEventLog( l.handle, flags, l.recordNumber, l.readBuf) return err }, l.readRetryErrorHandler) if err != nil { debugf("%s ReadEventLog returned error %v", l.logPrefix, err) return readErrorHandler(err) } detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead) l.readBuf = l.readBuf[0:numBytesRead] events, _, err := win.RenderEvents( l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get) if err != nil { return nil, err } detailf("%s RenderEvents returned %d events", l.logPrefix, len(events)) records := make([]Record, 0, len(events)) for _, e := range events { // The events do not contain the name of the event log so we must add // the name of the log from which we are reading. e.Channel = l.name err = sys.PopulateAccount(&e.User) if err != nil { debugf("%s SID %s account lookup failed. %v", l.logPrefix, e.User.Identifier, err) } records = append(records, Record{ API: eventLoggingAPIName, EventMetadata: l.eventMetadata, Event: e, }) } if l.ignoreFirst && len(records) > 0 { debugf("%s Ignoring first event with record ID %d", l.logPrefix, records[0].RecordID) records = records[1:] l.ignoreFirst = false } records = filter(records, l.ignoreOlder) debugf("%s Read() is returning %d records", l.logPrefix, len(records)) return records, nil }