Documentation ¶
Index ¶
- func ReadEtlFile(path string, callback EventCallback, options ...SessionOption) error
- type CompareOperation
- type EventDescriptor
- type EventFieldType
- type EventFilter
- type EventFilterDescriptor
- type EventFilterType
- type EventIdFilter
- type EventPayloadCompare
- type EventPayloadFilter
- type Provider
- func (p Provider) ListChannels() ([]ProviderField, error)
- func (p Provider) ListEvents() ([]EventDescriptor, error)
- func (p Provider) ListKeywords() ([]ProviderField, error)
- func (p Provider) ListLevels() ([]ProviderField, error)
- func (p Provider) QueryField(fieldValue uint64, fieldType EventFieldType) ([]ProviderField, error)
- func (p Provider) QueryOpcode(taskValue uint16, opcodeValue uint8) (ProviderField, error)
- func (p Provider) QueryTask(taskValue uint16) (ProviderField, error)
- type ProviderField
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ReadEtlFile ¶
Types ¶
type CompareOperation ¶
type CompareOperation uint16
const ( CompareIntegerEqual CompareOperation = iota CompareIntegerNotEqual CompareIntegerLessOrEqual CompareIntegerGreater CompareIntegerLess CompareIntegerGreatorOrEqual CompareIntegerBetween CompareIntegerNotBetween CompareIntegerModulo )
const ( CompareStringContains CompareOperation = 20 CompareStringNotContains CompareOperation = 21 CompareStringEquals CompareOperation = 30 CompareStringNotEquals CompareOperation = 31 )
type EventDescriptor ¶
type EventDescriptor struct { ID uint16 Version uint8 Channel uint8 Level uint8 OpCode uint8 Task uint16 Keyword uint64 }
EventDescriptor contains low-level metadata that defines received event. Most of fields could be used to refine events filtration.
For detailed information about fields values refer to EVENT_DESCRIPTOR docs: https://docs.microsoft.com/ru-ru/windows/win32/api/evntprov/ns-evntprov-event_descriptor
type EventFieldType ¶
type EventFieldType uint32
const ( EventKeywordInformation EventFieldType = iota EventLevelInformation EventChannelInformation EventTaskInformation EventOpcodeInformation )
type EventFilter ¶
type EventFilter interface { EventFilterDescriptor() (EventFilterDescriptor, error) Type() EventFilterType Merge(filter EventFilter) (EventFilter, error) }
type EventFilterDescriptor ¶
type EventFilterDescriptor struct { Descriptor eventFilterDescriptorC Close func() error }
type EventFilterType ¶
type EventFilterType uint32
type EventIdFilter ¶
type EventIdFilter struct { // The Event IDs that the filter should look for EventIds []uint16 // True for a filter that accepts only the given Event IDs, False for a filter that rejects the given Event IDs PositiveFilter bool }
EventIdFilter is a simple filter that filters by Event ID. Either a positive filter can be defined that allows only specific Event IDs or a negative filter that disallows specific Event IDs. Specifying both types is not allowed.
func (EventIdFilter) EventFilterDescriptor ¶
func (e EventIdFilter) EventFilterDescriptor() (EventFilterDescriptor, error)
func (EventIdFilter) Merge ¶
func (e EventIdFilter) Merge(other EventFilter) (EventFilter, error)
func (EventIdFilter) Type ¶
func (e EventIdFilter) Type() EventFilterType
type EventPayloadCompare ¶
type EventPayloadCompare struct { Field string Value string Operation CompareOperation }
type EventPayloadFilter ¶
type EventPayloadFilter struct { FilteredProvider windows.GUID FilteredDescriptor EventDescriptor Comparisons []EventPayloadCompare AnyMatches bool }
func (EventPayloadFilter) EventFilterDescriptor ¶
func (e EventPayloadFilter) EventFilterDescriptor() (EventFilterDescriptor, error)
func (EventPayloadFilter) Merge ¶
func (EventPayloadFilter) Merge(filter EventFilter) (EventFilter, error)
func (EventPayloadFilter) Type ¶
func (EventPayloadFilter) Type() EventFilterType
type Provider ¶
func ListProviders ¶
func LookupProvider ¶
func (Provider) ListChannels ¶
func (p Provider) ListChannels() ([]ProviderField, error)
func (Provider) ListEvents ¶
func (p Provider) ListEvents() ([]EventDescriptor, error)
func (Provider) ListKeywords ¶
func (p Provider) ListKeywords() ([]ProviderField, error)
func (Provider) ListLevels ¶
func (p Provider) ListLevels() ([]ProviderField, error)
func (Provider) QueryField ¶
func (p Provider) QueryField(fieldValue uint64, fieldType EventFieldType) ([]ProviderField, error)
func (Provider) QueryOpcode ¶
func (p Provider) QueryOpcode(taskValue uint16, opcodeValue uint8) (ProviderField, error)
type ProviderField ¶
Source Files ¶
Click to show internal directories.
Click to hide internal directories.