// newWinEventLog creates and returns a new EventLog for reading event logs
// using the Windows Event Log.
func newWinEventLog(c Config) (EventLog, error) {
eventMetadataHandle := func(providerName, sourceName string) eventlogging.MessageFiles {
mf := eventlogging.MessageFiles{SourceName: sourceName}
h, err := sys.OpenPublisherMetadata(0, sourceName, 0)
if err != nil {
mf.Err = err
return mf
}
mf.Handles = []eventlogging.FileHandle{eventlogging.FileHandle{Handle: uintptr(h)}}
return mf
}
freeHandle := func(handle uintptr) error {
return sys.Close(sys.EvtHandle(handle))
}
ctx, err := sys.CreateRenderContext(nil, sys.EvtRenderContextSystem)
if err != nil {
return nil, err
}
return &winEventLog{
channelName: c.Name,
remoteServer: c.RemoteAddress,
maxRead: defaultMaxNumRead,
renderBuf: make([]byte, renderBufferSize),
systemCtx: ctx,
cache: newMessageFilesCache(c.Name, eventMetadataHandle, freeHandle),
logPrefix: fmt.Sprintf("WinEventLog[%s]", c.Name),
eventMetadata: c.EventMetadata,
}, nil
}
// newWinEventLog creates and returns a new EventLog for reading event logs
// using the Windows Event Log.
func newWinEventLog(options map[string]interface{}) (EventLog, error) {
var c winEventLogConfig
if err := readConfig(options, &c, winEventLogConfigKeys); err != nil {
return nil, err
}
query, err := win.Query{
Log: c.Name,
IgnoreOlder: c.SimpleQuery.IgnoreOlder,
Level: c.SimpleQuery.Level,
EventID: c.SimpleQuery.EventID,
Provider: c.SimpleQuery.Provider,
}.Build()
if err != nil {
return nil, err
}
eventMetadataHandle := func(providerName, sourceName string) sys.MessageFiles {
mf := sys.MessageFiles{SourceName: sourceName}
h, err := win.OpenPublisherMetadata(0, sourceName, 0)
if err != nil {
mf.Err = err
return mf
}
mf.Handles = []sys.FileHandle{sys.FileHandle{Handle: uintptr(h)}}
return mf
}
freeHandle := func(handle uintptr) error {
return win.Close(win.EvtHandle(handle))
}
return &winEventLog{
config: c,
query: query,
channelName: c.Name,
maxRead: defaultMaxNumRead,
renderBuf: make([]byte, renderBufferSize),
cache: newMessageFilesCache(c.Name, eventMetadataHandle, freeHandle),
logPrefix: fmt.Sprintf("WinEventLog[%s]", c.Name),
eventMetadata: c.EventMetadata,
}, nil
}
// newWinEventLog creates and returns a new EventLog for reading event logs
// using the Windows Event Log.
func newWinEventLog(options map[string]interface{}) (EventLog, error) {
c := defaultWinEventLogConfig
if err := readConfig(options, &c, winEventLogConfigKeys); err != nil {
return nil, err
}
query, err := win.Query{
Log: c.Name,
IgnoreOlder: c.SimpleQuery.IgnoreOlder,
Level: c.SimpleQuery.Level,
EventID: c.SimpleQuery.EventID,
Provider: c.SimpleQuery.Provider,
}.Build()
if err != nil {
return nil, err
}
eventMetadataHandle := func(providerName, sourceName string) sys.MessageFiles {
mf := sys.MessageFiles{SourceName: sourceName}
h, err := win.OpenPublisherMetadata(0, sourceName, 0)
if err != nil {
mf.Err = err
return mf
}
mf.Handles = []sys.FileHandle{{Handle: uintptr(h)}}
return mf
}
freeHandle := func(handle uintptr) error {
return win.Close(win.EvtHandle(handle))
}
l := &winEventLog{
config: c,
query: query,
channelName: c.Name,
maxRead: c.BatchReadSize,
renderBuf: make([]byte, renderBufferSize),
cache: newMessageFilesCache(c.Name, eventMetadataHandle, freeHandle),
logPrefix: fmt.Sprintf("WinEventLog[%s]", c.Name),
eventMetadata: c.EventMetadata,
}
// Forwarded events should be rendered using RenderEventXML. It is more
// efficient and does not attempt to use local message files for rendering
// the event's message.
switch {
case c.Forwarded == nil && c.Name == "ForwardedEvents",
c.Forwarded != nil && *c.Forwarded == true:
l.render = func(event win.EvtHandle) (string, error) {
return win.RenderEventXML(event, l.renderBuf)
}
default:
l.render = func(event win.EvtHandle) (string, error) {
return win.RenderEvent(event, 0, l.renderBuf, l.cache.get)
}
}
return l, nil
}
