// FormatEventString formats part of the event as a string. // messageFlag determines what part of the event is formatted as as string. // eventHandle is the handle to the event. // publisher is the name of the event's publisher. // publisherHandle is a handle to the publisher's metadata as provided by // EvtOpenPublisherMetadata. // lang is the language ID. // buffer is optional and if not provided it will be allocated. If the provided // buffer is not large enough then an InsufficientBufferError will be returned. func FormatEventString( messageFlag EvtFormatMessageFlag, eventHandle EvtHandle, publisher string, publisherHandle EvtHandle, lang uint32, buffer []byte, out io.Writer, ) error { // Open a publisher handle if one was not provided. ph := publisherHandle if ph == 0 { ph, err := OpenPublisherMetadata(0, publisher, 0) if err != nil { return err } defer _EvtClose(ph) } // Create a buffer if one was not provided. var bufferUsed uint32 if buffer == nil { err := _EvtFormatMessage(ph, eventHandle, 0, 0, 0, messageFlag, 0, nil, &bufferUsed) if err != nil && err != ERROR_INSUFFICIENT_BUFFER { return err } bufferUsed *= 2 buffer = make([]byte, bufferUsed) bufferUsed = 0 } err := _EvtFormatMessage(ph, eventHandle, 0, 0, 0, messageFlag, uint32(len(buffer)/2), &buffer[0], &bufferUsed) bufferUsed *= 2 if err == ERROR_INSUFFICIENT_BUFFER { return sys.InsufficientBufferError{err, int(bufferUsed)} } if err != nil { return err } // This assumes there is only a single string value to read. This will // not work to read keys (when messageFlag == EvtFormatMessageKeyword). return sys.UTF16ToUTF8Bytes(buffer[:bufferUsed], out) }
// RenderEventXML renders the event as XML. If the event is already rendered, as // in a forwarded event whose content type is "RenderedText", then the XML will // include the RenderingInfo (message). If the event is not rendered then the // XML will not include the message, and in this case RenderEvent should be // used. func RenderEventXML(eventHandle EvtHandle, renderBuf []byte, out io.Writer) error { var bufferUsed, propertyCount uint32 err := _EvtRender(0, eventHandle, EvtRenderEventXml, uint32(len(renderBuf)), &renderBuf[0], &bufferUsed, &propertyCount) if err == ERROR_INSUFFICIENT_BUFFER { return sys.InsufficientBufferError{err, int(bufferUsed)} } if err != nil { return err } if int(bufferUsed) > len(renderBuf) { return fmt.Errorf("Windows EvtRender reported that wrote %d bytes "+ "to the buffer, but the buffer can only hold %d bytes", bufferUsed, len(renderBuf)) } return sys.UTF16ToUTF8Bytes(renderBuf[:bufferUsed], out) }