func (l *eventLogging) Read() ([]Record, error) {
flags := sys.EVENTLOG_SEQUENTIAL_READ | sys.EVENTLOG_FORWARDS_READ
if l.seek {
flags = sys.EVENTLOG_SEEK_READ | sys.EVENTLOG_FORWARDS_READ
l.seek = false
}
var numBytesRead int
err := retry(
func() error {
l.readBuf = l.readBuf[0:cap(l.readBuf)]
// TODO: Use number of bytes to grow the buffer size as needed.
var err error
numBytesRead, err = sys.ReadEventLog(
l.handle,
flags,
l.recordNumber,
l.readBuf)
return err
},
l.readRetryErrorHandler)
if err != nil {
debugf("%s ReadEventLog returned error %v", l.logPrefix, err)
return readErrorHandler(err)
}
detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead)
l.readBuf = l.readBuf[0:numBytesRead]
events, _, err := sys.RenderEvents(
l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get)
if err != nil {
return nil, err
}
detailf("%s RenderEvents returned %d events", l.logPrefix, len(events))
records := make([]Record, 0, len(events))
for _, e := range events {
r := Record{
API: eventLoggingAPIName,
EventLogName: l.name,
RecordNumber: uint64(e.RecordID),
EventID: e.EventID, // TODO: Subtract out high order bytes (upper 2 bytes)
Level: e.Level,
SourceName: e.SourceName,
ComputerName: e.Computer,
Category: e.Category,
Message: e.Message,
MessageInserts: e.MessageInserts,
MessageErr: e.MessageErr,
EventMetadata: l.eventMetadata,
}
if e.TimeGenerated != nil {
r.TimeGenerated = *e.TimeGenerated
} else if e.TimeWritten != nil {
r.TimeGenerated = *e.TimeWritten
}
if e.UserSID != nil {
r.User = &User{
Identifier: e.UserSID.Identifier,
Name: e.UserSID.Name,
Domain: e.UserSID.Domain,
Type: e.UserSID.Type.String(),
}
}
records = append(records, r)
}
if l.ignoreFirst && len(records) > 0 {
debugf("%s Ignoring first event with record number %d", l.logPrefix,
records[0].RecordNumber)
records = records[1:]
l.ignoreFirst = false
}
debugf("%s Read() is returning %d records", l.logPrefix, len(records))
return records, nil
}
func (l *eventLogging) Read() ([]Record, error) {
flags := win.EVENTLOG_SEQUENTIAL_READ | win.EVENTLOG_FORWARDS_READ
if l.seek {
flags = win.EVENTLOG_SEEK_READ | win.EVENTLOG_FORWARDS_READ
l.seek = false
}
var numBytesRead int
err := retry(
func() error {
l.readBuf = l.readBuf[0:cap(l.readBuf)]
// TODO: Use number of bytes to grow the buffer size as needed.
var err error
numBytesRead, err = win.ReadEventLog(
l.handle,
flags,
l.recordNumber,
l.readBuf)
return err
},
l.readRetryErrorHandler)
if err != nil {
debugf("%s ReadEventLog returned error %v", l.logPrefix, err)
return readErrorHandler(err)
}
detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead)
l.readBuf = l.readBuf[0:numBytesRead]
events, _, err := win.RenderEvents(
l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get)
if err != nil {
return nil, err
}
detailf("%s RenderEvents returned %d events", l.logPrefix, len(events))
records := make([]Record, 0, len(events))
for _, e := range events {
// The events do not contain the name of the event log so we must add
// the name of the log from which we are reading.
e.Channel = l.name
err = sys.PopulateAccount(&e.User)
if err != nil {
debugf("%s SID %s account lookup failed. %v", l.logPrefix,
e.User.Identifier, err)
}
records = append(records, Record{
API: eventLoggingAPIName,
EventMetadata: l.eventMetadata,
Event: e,
})
}
if l.ignoreFirst && len(records) > 0 {
debugf("%s Ignoring first event with record ID %d", l.logPrefix,
records[0].RecordID)
records = records[1:]
l.ignoreFirst = false
}
records = filter(records, l.ignoreOlder)
debugf("%s Read() is returning %d records", l.logPrefix, len(records))
return records, nil
}