func (l *winEventLog) eventHandles(maxRead int) ([]win.EvtHandle, int, error) {
handles, err := win.EventHandles(l.subscription, maxRead)
switch err {
case nil:
if l.maxRead > maxRead {
debugf("%s Recovered from RPC_S_INVALID_BOUND error (errno 1734) "+
"by decreasing batch_read_size to %v", l.logPrefix, maxRead)
}
return handles, maxRead, nil
case win.ERROR_NO_MORE_ITEMS:
detailf("%s No more events", l.logPrefix)
return nil, maxRead, nil
case win.RPC_S_INVALID_BOUND:
incrementMetric(readErrors, err)
if err := l.Close(); err != nil {
return nil, 0, errors.Wrap(err, "failed to recover from RPC_S_INVALID_BOUND")
}
if err := l.Open(l.lastRead); err != nil {
return nil, 0, errors.Wrap(err, "failed to recover from RPC_S_INVALID_BOUND")
}
return l.eventHandles(maxRead / 2)
default:
incrementMetric(readErrors, err)
logp.Warn("%s EventHandles returned error %v", l.logPrefix, err)
return nil, 0, err
}
}
func (l *winEventLog) Read() ([]Record, error) {
handles, err := sys.EventHandles(l.subscription, l.maxRead)
if err == sys.ERROR_NO_MORE_ITEMS {
detailf("%s No more events", l.logPrefix)
return nil, nil
}
if err != nil {
logp.Warn("%s EventHandles returned error %v Errno: %d", l.logPrefix, err)
return nil, err
}
defer func() {
for _, h := range handles {
sys.Close(h)
}
}()
detailf("%s EventHandles returned %d handles", l.logPrefix, len(handles))
var records []Record
for _, h := range handles {
e, err := sys.RenderEvent(h, l.systemCtx, 0, l.renderBuf, l.cache.get)
if err != nil {
logp.Err("%s Dropping event with rendering error. %v", l.logPrefix, err)
continue
}
r := Record{
API: winEventLogAPIName,
EventLogName: e.Channel,
SourceName: e.ProviderName,
ComputerName: e.Computer,
RecordNumber: e.RecordID,
EventID: uint32(e.EventID),
Level: e.Level,
Category: e.Task,
Message: e.Message,
MessageErr: e.MessageErr,
EventMetadata: l.eventMetadata,
}
if e.TimeCreated != nil {
r.TimeGenerated = *e.TimeCreated
}
if e.UserSID != nil {
r.User = &User{
Identifier: e.UserSID.Identifier,
Name: e.UserSID.Name,
Domain: e.UserSID.Domain,
Type: e.UserSID.Type.String(),
}
}
records = append(records, r)
}
debugf("%s Read() is returning %d records", l.logPrefix, len(records))
return records, nil
}
func (l *winEventLog) Read() ([]Record, error) {
handles, err := win.EventHandles(l.subscription, l.maxRead)
if err == win.ERROR_NO_MORE_ITEMS {
detailf("%s No more events", l.logPrefix)
return nil, nil
}
if err != nil {
logp.Warn("%s EventHandles returned error %v", l.logPrefix, err)
return nil, err
}
defer func() {
for _, h := range handles {
win.Close(h)
}
}()
detailf("%s EventHandles returned %d handles", l.logPrefix, len(handles))
var records []Record
for _, h := range handles {
x, err := l.render(h)
if bufErr, ok := err.(sys.InsufficientBufferError); ok {
detailf("%s Increasing render buffer size to %d", l.logPrefix,
bufErr.RequiredSize)
l.renderBuf = make([]byte, bufErr.RequiredSize)
x, err = l.render(h)
}
if err != nil && x == "" {
logp.Err("%s Dropping event with rendering error. %v", l.logPrefix, err)
reportDrop(err)
continue
}
r, err := l.buildRecordFromXML(x, err)
if err != nil {
logp.Err("%s Dropping event. %v", l.logPrefix, err)
reportDrop("unmarshal")
continue
}
records = append(records, r)
}
debugf("%s Read() is returning %d records", l.logPrefix, len(records))
return records, nil
}
func (l *eventLog) Read() ([]eventlog.LogRecord, error) {
var events []eventlog.LogRecord
for {
handles, err := sys.EventHandles(l.subscription, l.maxRead)
if err == sys.ERROR_NO_MORE_ITEMS {
detailf("%s No more events", l.logPrefix)
break
}
if err != nil {
errno, _ := err.(syscall.Errno)
logp.Warn("%s Failed to read event handles. %v %v", l.logPrefix,
err, uint32(errno))
return nil, err
}
detailf("%s EventHandles returned %d events", l.logPrefix, len(handles))
for _, h := range handles {
evt, _, err := sys.RenderEvent(h, sys.NullEvtHandle, 0, l.renderBuf, nil)
if err != nil {
logp.Err("%s Error rendering event. %v", l.logPrefix, err)
continue
}
events = append(events, eventlog.LogRecord{
EventLogName: evt.Channel,
SourceName: evt.ProviderName,
ComputerName: evt.Computer,
RecordNumber: evt.RecordID,
EventID: uint32(evt.EventID),
EventType: evt.Level, // convert
EventCategory: evt.Task,
TimeGenerated: *evt.TimeCreated,
UserSID: evt.UserSID,
Message: evt.Message,
})
}
}
return events, nil
}
