func (l *winEventLog) Read() ([]Record, error) { handles, err := sys.EventHandles(l.subscription, l.maxRead) if err == sys.ERROR_NO_MORE_ITEMS { detailf("%s No more events", l.logPrefix) return nil, nil } if err != nil { logp.Warn("%s EventHandles returned error %v Errno: %d", l.logPrefix, err) return nil, err } defer func() { for _, h := range handles { sys.Close(h) } }() detailf("%s EventHandles returned %d handles", l.logPrefix, len(handles)) var records []Record for _, h := range handles { e, err := sys.RenderEvent(h, l.systemCtx, 0, l.renderBuf, l.cache.get) if err != nil { logp.Err("%s Dropping event with rendering error. %v", l.logPrefix, err) continue } r := Record{ API: winEventLogAPIName, EventLogName: e.Channel, SourceName: e.ProviderName, ComputerName: e.Computer, RecordNumber: e.RecordID, EventID: uint32(e.EventID), Level: e.Level, Category: e.Task, Message: e.Message, MessageErr: e.MessageErr, EventMetadata: l.eventMetadata, } if e.TimeCreated != nil { r.TimeGenerated = *e.TimeCreated } if e.UserSID != nil { r.User = &User{ Identifier: e.UserSID.Identifier, Name: e.UserSID.Name, Domain: e.UserSID.Domain, Type: e.UserSID.Type.String(), } } records = append(records, r) } debugf("%s Read() is returning %d records", l.logPrefix, len(records)) return records, nil }
func (l *winEventLog) Read() ([]Record, error) { handles, err := win.EventHandles(l.subscription, l.maxRead) if err == win.ERROR_NO_MORE_ITEMS { detailf("%s No more events", l.logPrefix) return nil, nil } if err != nil { logp.Warn("%s EventHandles returned error %v Errno: %d", l.logPrefix, err) return nil, err } defer func() { for _, h := range handles { win.Close(h) } }() detailf("%s EventHandles returned %d handles", l.logPrefix, len(handles)) var records []Record for _, h := range handles { x, err := win.RenderEvent(h, 0, l.renderBuf, l.cache.get) if bufErr, ok := err.(sys.InsufficientBufferError); ok { detailf("%s Increasing render buffer size to %d", l.logPrefix, bufErr.RequiredSize) l.renderBuf = make([]byte, bufErr.RequiredSize) x, err = win.RenderEvent(h, 0, l.renderBuf, l.cache.get) } if err != nil && x == "" { logp.Err("%s Dropping event with rendering error. %v", l.logPrefix, err) reportDrop(err) continue } r, err := l.buildRecordFromXML(x, err) if err != nil { logp.Err("%s Dropping event. %v", l.logPrefix, err) reportDrop("unmarshal") continue } records = append(records, r) } debugf("%s Read() is returning %d records", l.logPrefix, len(records)) return records, nil }
func (l *eventLog) Read() ([]eventlog.LogRecord, error) { var events []eventlog.LogRecord for { handles, err := sys.EventHandles(l.subscription, l.maxRead) if err == sys.ERROR_NO_MORE_ITEMS { detailf("%s No more events", l.logPrefix) break } if err != nil { errno, _ := err.(syscall.Errno) logp.Warn("%s Failed to read event handles. %v %v", l.logPrefix, err, uint32(errno)) return nil, err } detailf("%s EventHandles returned %d events", l.logPrefix, len(handles)) for _, h := range handles { evt, _, err := sys.RenderEvent(h, sys.NullEvtHandle, 0, l.renderBuf, nil) if err != nil { logp.Err("%s Error rendering event. %v", l.logPrefix, err) continue } events = append(events, eventlog.LogRecord{ EventLogName: evt.Channel, SourceName: evt.ProviderName, ComputerName: evt.Computer, RecordNumber: evt.RecordID, EventID: uint32(evt.EventID), EventType: evt.Level, // convert EventCategory: evt.Task, TimeGenerated: *evt.TimeCreated, UserSID: evt.UserSID, Message: evt.Message, }) } } return events, nil }
// newWinEventLog creates and returns a new EventLog for reading event logs // using the Windows Event Log. func newWinEventLog(options map[string]interface{}) (EventLog, error) { c := defaultWinEventLogConfig if err := readConfig(options, &c, winEventLogConfigKeys); err != nil { return nil, err } query, err := win.Query{ Log: c.Name, IgnoreOlder: c.SimpleQuery.IgnoreOlder, Level: c.SimpleQuery.Level, EventID: c.SimpleQuery.EventID, Provider: c.SimpleQuery.Provider, }.Build() if err != nil { return nil, err } eventMetadataHandle := func(providerName, sourceName string) sys.MessageFiles { mf := sys.MessageFiles{SourceName: sourceName} h, err := win.OpenPublisherMetadata(0, sourceName, 0) if err != nil { mf.Err = err return mf } mf.Handles = []sys.FileHandle{{Handle: uintptr(h)}} return mf } freeHandle := func(handle uintptr) error { return win.Close(win.EvtHandle(handle)) } l := &winEventLog{ config: c, query: query, channelName: c.Name, maxRead: c.BatchReadSize, renderBuf: make([]byte, renderBufferSize), cache: newMessageFilesCache(c.Name, eventMetadataHandle, freeHandle), logPrefix: fmt.Sprintf("WinEventLog[%s]", c.Name), eventMetadata: c.EventMetadata, } // Forwarded events should be rendered using RenderEventXML. It is more // efficient and does not attempt to use local message files for rendering // the event's message. switch { case c.Forwarded == nil && c.Name == "ForwardedEvents", c.Forwarded != nil && *c.Forwarded == true: l.render = func(event win.EvtHandle) (string, error) { return win.RenderEventXML(event, l.renderBuf) } default: l.render = func(event win.EvtHandle) (string, error) { return win.RenderEvent(event, 0, l.renderBuf, l.cache.get) } } return l, nil }