wevtapi

package
v0.0.0-...-c7163dc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 16, 2022 License: GPL-3.0 Imports: 9 Imported by: 0

Documentation

Rendered for windows/amd64

Index

Constants

View Source 
const (
	// EVT_SUBSCRIBE_NOTIFY_ACTION enum: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385596(v=vs.85).aspx
	//typedef enum _EVT_SUBSCRIBE_NOTIFY_ACTION {
	EvtSubscribeActionError   = 0
	EvtSubscribeActionDeliver = 1

	// EVT_RENDER_FLAGS enum: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385563(v=vs.85).aspx
	//typedef enum _EVT_RENDER_FLAGS {
	EvtRenderEventValues = 0
	EvtRenderEventXml    = 1
	EvtRenderBookmark    = 2

	// EVT_SUBSCRIBE_FLAGS enum: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385588(v=vs.85).aspx
	//typedef enum _EVT_SUBSCRIBE_FLAGS {
	EvtSubscribeToFutureEvents      = 1
	EvtSubscribeStartAtOldestRecord = 2
	EvtSubscribeStartAfterBookmark  = 3
	EvtSubscribeOriginMask          = 0x3
	EvtSubscribeTolerateQueryErrors = 0x1000
	EvtSubscribeStrict              = 0x10000
)
View Source 
const (
	ERROR_EVT_INVALID_CHANNEL_PATH                          = 15000
	ERROR_EVT_INVALID_QUERY                                 = 15001
	ERROR_EVT_PUBLISHER_METADATA_NOT_FOUND                  = 15002
	ERROR_EVT_EVENT_TEMPLATE_NOT_FOUND                      = 15003
	ERROR_EVT_INVALID_PUBLISHER_NAME                        = 15004
	ERROR_EVT_INVALID_EVENT_DATA                            = 15005
	ERROR_EVT_CHANNEL_NOT_FOUND                             = 15007
	ERROR_EVT_MALFORMED_XML_TEXT                            = 15008
	ERROR_EVT_SUBSCRIPTION_TO_DIRECT_CHANNEL                = 15009
	ERROR_EVT_CONFIGURATION_ERROR                           = 15010
	ERROR_EVT_QUERY_RESULT_STALE                            = 15011
	ERROR_EVT_QUERY_RESULT_INVALID_POSITION                 = 15012
	ERROR_EVT_NON_VALIDATING_MSXML                          = 15013
	ERROR_EVT_FILTER_ALREADYSCOPED                          = 15014
	ERROR_EVT_FILTER_NOTELTSET                              = 15015
	ERROR_EVT_FILTER_INVARG                                 = 15016
	ERROR_EVT_FILTER_INVTEST                                = 15017
	ERROR_EVT_FILTER_INVTYPE                                = 15018
	ERROR_EVT_FILTER_PARSEERR                               = 15019
	ERROR_EVT_FILTER_UNSUPPORTEDOP                          = 15020
	ERROR_EVT_FILTER_UNEXPECTEDTOKEN                        = 15021
	ERROR_EVT_INVALID_OPERATION_OVER_ENABLED_DIRECT_CHANNEL = 15022
	ERROR_EVT_INVALID_CHANNEL_PROPERTY_VALUE                = 15023
	ERROR_EVT_INVALID_PUBLISHER_PROPERTY_VALUE              = 15024
	ERROR_EVT_CHANNEL_CANNOT_ACTIVATE                       = 15025
	ERROR_EVT_FILTER_TOO_COMPLEX                            = 15026
	ERROR_EVT_MESSAGE_NOT_FOUND                             = 15027
	ERROR_EVT_MESSAGE_ID_NOT_FOUND                          = 15028
	ERROR_EVT_UNRESOLVED_VALUE_INSERT                       = 15029
	ERROR_EVT_UNRESOLVED_PARAMETER_INSERT                   = 15030
	ERROR_EVT_MAX_INSERTS_REACHED                           = 15031
	ERROR_EVT_EVENT_DEFINITION_NOT_FOUND                    = 15032
	ERROR_EVT_MESSAGE_LOCALE_NOT_FOUND                      = 15033
	ERROR_EVT_VERSION_TOO_OLD                               = 15034
	ERROR_EVT_VERSION_TOO_NEW                               = 15035
	ERROR_EVT_CANNOT_OPEN_CHANNEL_OF_QUERY                  = 15036
	ERROR_EVT_PUBLISHER_DISABLED                            = 15037
	ERROR_EVT_FILTER_OUT_OF_RANGE                           = 15038
)

Variables

This section is empty.

Functions

func EvtClose 

func EvtClose(Object EVT_HANDLE) error

EvtClose wrapper https://msdn.microsoft.com/en-us/library/windows/desktop/aa385344(v=vs.85).aspx

func EvtRenderXML 

func EvtRenderXML(Context EVT_HANDLE) ([]byte, error)

func GotSignal 

func GotSignal(signals chan bool) (signal bool, gotsig bool)

func TestCallback 

func TestCallback(Action EVT_SUBSCRIBE_NOTIFY_ACTION, UserContext win32.PVOID, Event EVT_HANDLE) uintptr

Types

type Data 

type Data struct {
	Name  string `xml:"Name,attr"`
	Value string `xml:",innerxml"`

} //`xml:"Data"`

type EVT_HANDLE 

type EVT_HANDLE win32.HANDLE

func EvtNext 

func EvtNext(ResultSet EVT_HANDLE, Timeout win32.DWORD) ([]EVT_HANDLE, error)

func EvtPullSubscribe 

func EvtPullSubscribe(
	Session EVT_HANDLE,
	SignalEvent win32.HANDLE,
	ChannelPath string,
	Query string,
	Bookmark EVT_HANDLE,
	context win32.PVOID,
	Flags win32.DWORD) (EVT_HANDLE, error)

func EvtSubscribe 

func EvtSubscribe(
	Session EVT_HANDLE,
	SignalEvent win32.HANDLE,
	ChannelPath string,
	Query string,
	Bookmark EVT_HANDLE,
	context win32.PVOID,
	Callback EVT_SUBSCRIBE_CALLBACK,
	Flags win32.DWORD) (EVT_HANDLE, error)

type EVT_SUBSCRIBE_CALLBACK 

type EVT_SUBSCRIBE_CALLBACK func(Action EVT_SUBSCRIBE_NOTIFY_ACTION, UserContext win32.PVOID, Event EVT_HANDLE) uintptr

type EVT_SUBSCRIBE_NOTIFY_ACTION 

type EVT_SUBSCRIBE_NOTIFY_ACTION int

Should be an enum _EVT_SUBSCRIBE_NOTIFY_ACTION

type EventProvider 

type EventProvider interface {
	FetchEvents(channels []string, flag int) (c chan *XMLEvent)
	Stop()
}

EventProvider interface definition

type JSONEvent 

type JSONEvent struct {
	Event struct {
		EventData map[string]string      `xml:"EventData" json:",omitempty"`
		UserData  map[string]interface{} `json:",omitempty"`
		System    struct {
			Provider struct {
				Name string `xml:"Name,attr"`
				Guid string `xml:"Guid,attr"`
			} `xml:"Provider"`
			EventID     string `xml:"EventID"`
			Version     string `xml:"Version"`
			Level       string `xml:"Level"`
			Task        string `xml:"Task"`
			Opcode      string `xml:"Opcode"`
			Keywords    string `xml:"Keywords"`
			TimeCreated struct {
				SystemTime string `xml:"SystemTime,attr"`
			} `xml:"TimeCreated"`
			EventRecordID string `xml:"EventRecordID"`
			Correlation   struct {
			} `xml:"Correlation"`
			Execution struct {
				ProcessID string `xml:"ProcessID,attr"`
				ThreadID  string `xml:"ThreadID,attr"`
			} `xml:"Execution"`
			Channel  string `xml:"Channel"`
			Computer string `xml:"Computer"`
			Security struct {
				UserID string `xml:"UserID,attr"`
			} `xml:"Security"`
		} `xml:"System"`
	}
}

JSONEvent structure definition

func NewJSONEvent 

func NewJSONEvent() (je JSONEvent)

NewJSONEvent creates a new JSONEvent structure

type PullEventProvider 

type PullEventProvider struct {
	// contains filtered or unexported fields
}

PullEventProvider structure definition. Windows event provider using the "Pull" design pattern (i.e. not using callback function from EvtSubscribe).

func NewPullEventProvider 

func NewPullEventProvider() *PullEventProvider

NewPullEventProvider PullEventProvider constructor

func (*PullEventProvider) FetchEvents 

func (e *PullEventProvider) FetchEvents(channels []string, flag int) (c chan *XMLEvent)

FetchEvents implements EventProvider interface

func (*PullEventProvider) Stop 

func (e *PullEventProvider) Stop()

Stop implements EventProvider interface

type PushEventProvider 

type PushEventProvider struct {
	// contains filtered or unexported fields
}

PushEventProvider relies on push EventSubscribe design pattern (i.e. using a callback) function when calling EventSubscribe API

func NewPushEventProvider 

func NewPushEventProvider() *PushEventProvider

NewPushEventProvider constructs a new PushEventProvider

func (*PushEventProvider) FetchEvents 

func (p *PushEventProvider) FetchEvents(channels []string, flag int) (c chan *XMLEvent)

FetchEvents implements EventProvider interface

func (*PushEventProvider) Stop 

func (p *PushEventProvider) Stop()

Stop implements EventProvider interface

type XMLEvent 

type XMLEvent struct {
	// seems to always have the same format
	// if not consider using XMLMap
	EventData struct {
		Data []Data
	} `xml:"EventData,omitempty"`
	// Using XMLMap type because we don't know what is inside (a priori)
	UserData XMLMap
	System   struct {
		Provider struct {
			Name string `xml:"Name,attr"`
			Guid string `xml:"Guid,attr"`
		} `xml:"Provider"`
		EventID     string `xml:"EventID"`
		Version     string `xml:"Version"`
		Level       string `xml:"Level"`
		Task        string `xml:"Task"`
		Opcode      string `xml:"Opcode"`
		Keywords    string `xml:"Keywords"`
		TimeCreated struct {
			SystemTime string `xml:"SystemTime,attr"`
		} `xml:"TimeCreated"`
		EventRecordID string `xml:"EventRecordID"`
		Correlation   struct {
		} `xml:"Correlation"`
		Execution struct {
			ProcessID string `xml:"ProcessID,attr"`
			ThreadID  string `xml:"ThreadID,attr"`
		} `xml:"Execution"`
		Channel  string `xml:"Channel"`
		Computer string `xml:"Computer"`
		Security struct {
			UserID string `xml:"UserID,attr"`
		} `xml:"Security"`
	} `xml:"System"`
}

func (*XMLEvent) ToJSONEvent 

func (xe *XMLEvent) ToJSONEvent() *JSONEvent

func (*XMLEvent) ToMap 

func (xe *XMLEvent) ToMap() *map[string]interface{}

ToMap converts an XMLEvent to an accurate structure to be serialized where EventData / UserData does not appear if empty

type XMLMap 

type XMLMap map[string]interface{}

func (*XMLMap) UnmarshalXML 

func (m *XMLMap) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error

UnmarshalXML unmarshals the XML into a map of string to strings, creating a key in the map for each tag and setting it's value to the tags contents.

The fact this function is on the pointer of Map is important, so that if m is nil it can be initialized, which is often the case if m is nested in another xml structurel. This is also why the first thing done on the first line is initialize it.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.