forked from elastic/beats
-
Notifications
You must be signed in to change notification settings - Fork 0
/
eventlog.go
131 lines (111 loc) · 4.05 KB
/
eventlog.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
package eventlog
import (
"fmt"
"strconv"
"strings"
"time"
"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
)
// Debug logging functions for this package.
var (
debugf = logp.MakeDebug("eventlog")
detailf = logp.MakeDebug("eventlog_detail")
)
// EventLog is an interface to a Windows Event Log.
type EventLog interface {
// Open the event log. recordNumber is the last successfully read event log
// record number. Read will resume from recordNumber + 1. To start reading
// from the first event specify a recordNumber of 0.
Open(recordNumber uint64) error
// Read records from the event log.
Read() ([]Record, error)
// Close the event log. It should not be re-opened after closing.
Close() error
// Name returns the event log's name.
Name() string
}
// Record represents a single event from the log.
type Record struct {
API string // The event log API type used to read the record.
EventLogName string // The name of the event log from which this record was read.
SourceName string // The source of the event log record (the application or service that logged the record).
ComputerName string // The name of the computer that generated the record.
RecordNumber uint64 // The record number of the event log record.
EventID uint32 // The event identifier. The value is specific to the source of the event.
Level string // The level or severity of the event.
Category string // The category for this event. The meaning of this value depends on the event source.
TimeGenerated time.Time // The timestamp when the record was generated.
User *User // The user that logged the record.
Message string // The message from the event log.
MessageInserts []string // The raw message data logged by an application.
MessageErr error // The error that occurred while reading and formatting the message from the event log.
}
// String returns a string representation of Record.
func (r Record) String() string {
return fmt.Sprintf("Record API[%s] EventLogName[%s] SourceName[%s] "+
"ComputerName[%s] RecordNumber[%d] EventID[%d] Level[%s] "+
"Category[%s] TimeGenerated[%s] User[%s] "+
"Message[%s] MessageInserts[%s] MessageErr[%s]", r.API,
r.EventLogName, r.SourceName, r.ComputerName, r.RecordNumber,
r.EventID, r.Level, r.Category, r.TimeGenerated, r.User,
r.Message, strings.Join(r.MessageInserts, ", "), r.MessageErr)
}
// ToMapStr returns a new MapStr containing the data from this Record.
func (r Record) ToMapStr() common.MapStr {
m := common.MapStr{
"@timestamp": common.Time(r.TimeGenerated),
"log_name": r.EventLogName,
"source_name": r.SourceName,
"computer_name": r.ComputerName,
// Use a string to represent this uint64 data because its value can
// be outside the range represented by a Java long.
"record_number": strconv.FormatUint(r.RecordNumber, 10),
"event_id": r.EventID,
"level": r.Level,
"type": r.API,
"count": 1,
}
if r.Message != "" {
m["message"] = r.Message
} else {
if len(r.MessageInserts) > 0 {
m["message_inserts"] = r.MessageInserts
}
if r.MessageErr != nil {
m["message_error"] = r.MessageErr.Error()
}
}
if r.Category != "" {
m["category"] = r.Category
}
if r.User != nil {
user := common.MapStr{
"identifier": r.User.Identifier,
}
m["user"] = user
// Optional fields.
if r.User.Name != "" {
user["name"] = r.User.Name
}
if r.User.Domain != "" {
user["domain"] = r.User.Domain
}
if r.User.Type != "" {
user["type"] = r.User.Type
}
}
return m
}
// User contains information about a Windows account.
type User struct {
Identifier string // Unique identifier used by Windows to ID the account.
Name string // User name
Domain string // Domain that the user is a member of
Type string // Type of account (e.g. User, Computer, Service)
}
// String returns a string representation of Record.
func (u User) String() string {
return fmt.Sprintf("User Name[%s] Domain[%s] Type[%s]",
u.Name, u.Domain, u.Type)
}