func (l *winEventLog) buildRecordFromXML(x string, recoveredErr error) (Record, error) { e, err := sys.UnmarshalEventXML([]byte(x)) if err != nil { return Record{}, fmt.Errorf("Failed to unmarshal XML='%s'. %v", x, err) } err = sys.PopulateAccount(&e.User) if err != nil { debugf("%s SID %s account lookup failed. %v", l.logPrefix, e.User.Identifier, err) } if e.RenderErrorCode != 0 { // Convert the render error code to an error message that can be // included in the "message_error" field. e.RenderErr = syscall.Errno(e.RenderErrorCode).Error() } else if recoveredErr != nil { e.RenderErr = recoveredErr.Error() } if logp.IsDebug(detailSelector) { detailf("%s XML=%s Event=%+v", l.logPrefix, x, e) } r := Record{ API: winEventLogAPIName, EventMetadata: l.eventMetadata, Event: e, } if l.config.IncludeXML { r.XML = x } return r, nil }
func (l *eventLogging) Read() ([]Record, error) { flags := win.EVENTLOG_SEQUENTIAL_READ | win.EVENTLOG_FORWARDS_READ if l.seek { flags = win.EVENTLOG_SEEK_READ | win.EVENTLOG_FORWARDS_READ l.seek = false } var numBytesRead int err := retry( func() error { l.readBuf = l.readBuf[0:cap(l.readBuf)] // TODO: Use number of bytes to grow the buffer size as needed. var err error numBytesRead, err = win.ReadEventLog( l.handle, flags, l.recordNumber, l.readBuf) return err }, l.readRetryErrorHandler) if err != nil { debugf("%s ReadEventLog returned error %v", l.logPrefix, err) return readErrorHandler(err) } detailf("%s ReadEventLog read %d bytes", l.logPrefix, numBytesRead) l.readBuf = l.readBuf[0:numBytesRead] events, _, err := win.RenderEvents( l.readBuf[:numBytesRead], 0, l.formatBuf, l.handles.get) if err != nil { return nil, err } detailf("%s RenderEvents returned %d events", l.logPrefix, len(events)) records := make([]Record, 0, len(events)) for _, e := range events { // The events do not contain the name of the event log so we must add // the name of the log from which we are reading. e.Channel = l.name err = sys.PopulateAccount(&e.User) if err != nil { debugf("%s SID %s account lookup failed. %v", l.logPrefix, e.User.Identifier, err) } records = append(records, Record{ API: eventLoggingAPIName, EventMetadata: l.eventMetadata, Event: e, }) } if l.ignoreFirst && len(records) > 0 { debugf("%s Ignoring first event with record ID %d", l.logPrefix, records[0].RecordID) records = records[1:] l.ignoreFirst = false } records = filter(records, l.ignoreOlder) debugf("%s Read() is returning %d records", l.logPrefix, len(records)) return records, nil }