Documentation
¶
Index ¶
- type Buffer
- func (b *Buffer) FirstByte() *byte
- func (b *Buffer) ReadBytes(offset uint32) ([]byte, error)
- func (b *Buffer) ReadString(offset uint32) (string, error)
- func (b *Buffer) ReadWideChars(offset uint32) ([]byte, error)
- func (b *Buffer) SizeBytes() uint32
- func (b *Buffer) SizeWide() uint32
- func (b *Buffer) UpdateSizeBytes(size uint32)
- func (b *Buffer) UpdateSizeWide(size uint32)
- type Config
- type Correlation
- type Data
- type DebugData
- type EventData
- type EventDataFormat
- type EventID
- type EventXML
- type Execution
- type ProcessingErrorData
- type Provider
- type RemoteConfig
- type RenderingInfo
- type Security
- type TimeCreated
- type UserData
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Buffer ¶
type Buffer struct {
// contains filtered or unexported fields
}
Buffer is a buffer of utf-16 bytes.
func NewBuffer ¶
func NewBuffer() *Buffer
NewBuffer creates a new buffer with the default buffer size
func (*Buffer) ReadBytes ¶
ReadBytes will read UTF-8 bytes from the buffer, where offset is the number of bytes to be read
func (*Buffer) ReadString ¶
ReadString will read a UTF-8 string from the buffer.
func (*Buffer) ReadWideChars ¶
ReadWideChars will read UTF-8 bytes from the buffer, where offset is the number of wchars to read
func (*Buffer) UpdateSizeBytes ¶
UpdateSizeBytes will update the size of the buffer to fit size bytes.
func (*Buffer) UpdateSizeWide ¶
UpdateSizeWide will update the size of the buffer to fit size wchars.
type Config ¶ added in v0.91.0
type Config struct {
helper.InputConfig `mapstructure:",squash"`
Channel string `mapstructure:"channel"`
IgnoreChannelErrors bool `mapstructure:"ignore_channel_errors,omitempty"`
MaxReads int `mapstructure:"max_reads,omitempty"`
StartAt string `mapstructure:"start_at,omitempty"`
PollInterval time.Duration `mapstructure:"poll_interval,omitempty"`
MaxEventsPerPoll int `mapstructure:"max_events_per_poll,omitempty"`
// WaitTimeout is the maximum duration to wait for new events before performing a
// safety-net poll in event-driven mode (see EventDrivenScraping config option
// and the stanza.windows.eventDrivenScraping feature gate). Under normal conditions
// the subscription signal fires immediately, so this value is rarely reached.
// Defaults to 5s. Ignored when event-driven scraping is not enabled.
WaitTimeout time.Duration `mapstructure:"wait_timeout,omitempty"`
// EventDrivenScraping controls whether the windows input wakes on Windows API signals
// instead of polling on a fixed interval. When enabled, the input behaves the same as
// when the stanza.windows.eventDrivenScraping feature gate is enabled. Event-driven
// scraping is enabled when either this option or the feature gate is set.
EventDrivenScraping bool `mapstructure:"event_driven_scraping,omitempty"`
Raw bool `mapstructure:"raw,omitempty"`
EventDataFormat EventDataFormat `mapstructure:"event_data_format,omitempty"`
IncludeLogRecordOriginal bool `mapstructure:"include_log_record_original,omitempty"`
SuppressRenderingInfo bool `mapstructure:"suppress_rendering_info,omitempty"`
ExcludeProviders []string `mapstructure:"exclude_providers,omitempty"`
Remote RemoteConfig `mapstructure:"remote,omitempty"`
Query *string `mapstructure:"query,omitempty"`
Path *string `mapstructure:"path,omitempty"`
}
Config is the configuration of a windows event log operator.
func NewConfig ¶ added in v0.91.0
func NewConfig() *Config
NewConfig will return an event log config with default values.
func NewConfigWithID ¶ added in v0.91.0
NewConfig will return an event log config with default values.
type Correlation ¶ added in v0.143.0
type Correlation struct {
// ActivityID and RelatedActivityID are optional fields
// https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-correlation-systempropertiestype-element
ActivityID *string `xml:"ActivityID,attr"`
RelatedActivityID *string `xml:"RelatedActivityID,attr"`
}
Correlation contains the activity identifiers that consumers can use to group related events together.
type Data ¶ added in v0.89.0
type Data struct {
// https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-datafieldtype-complextype
Name string `xml:"Name,attr"`
Value string `xml:",chardata"`
}
type DebugData ¶ added in v0.149.0
type DebugData struct {
SequenceNumber uint32 `xml:"SequenceNumber"`
FlagName string `xml:"FlagName"`
LevelName string `xml:"LevelName"`
Component string `xml:"Component"`
SubComponent string `xml:"SubComponent"`
FileLine string `xml:"FileLine"`
Function string `xml:"Function"`
Message string `xml:"Message"`
}
DebugData contains data logged for Windows software tracing. https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-debugdata-eventtype-element
type EventData ¶ added in v0.89.0
type EventData struct {
// https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-eventdatatype-complextype
// ComplexData is not supported.
Name string `xml:"Name,attr"`
Data []Data `xml:"Data"`
Binary string `xml:"Binary"`
}
type EventDataFormat ¶ added in v0.148.0
type EventDataFormat string
EventDataFormat controls the structure of the event_data field in the log body.
const ( // EventDataFormatMap emits event_data as a flat map with named Data elements // as direct keys and anonymous Data elements numbered as param1, param2, etc. EventDataFormatMap EventDataFormat = "map" // EventDataFormatArray emits event_data with a nested "data" array of // single-key maps, preserving the original format. EventDataFormatArray EventDataFormat = "array" )
type EventXML ¶
type EventXML struct {
Original string `xml:"-"`
EventID EventID `xml:"System>EventID"`
Provider Provider `xml:"System>Provider"`
Computer string `xml:"System>Computer"`
Channel string `xml:"System>Channel"`
RecordID uint64 `xml:"System>EventRecordID"`
TimeCreated TimeCreated `xml:"System>TimeCreated"`
Level string `xml:"System>Level"`
Task string `xml:"System>Task"`
Opcode string `xml:"System>Opcode"`
Keywords []string `xml:"System>Keywords"`
Security *Security `xml:"System>Security"`
Execution *Execution `xml:"System>Execution"`
EventData EventData `xml:"EventData"`
UserData *UserData `xml:"UserData"`
Correlation *Correlation `xml:"System>Correlation"`
Version uint8 `xml:"System>Version"`
RenderingInfo *RenderingInfo `xml:"RenderingInfo"`
ProcessingErrorData *ProcessingErrorData `xml:"ProcessingErrorData"`
DebugData *DebugData `xml:"DebugData"`
// BinaryEventData contains raw hex-encoded binary data logged by legacy providers.
// https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-binaryeventdata-eventtype-element
BinaryEventData string `xml:"BinaryEventData"`
}
EventXML is the rendered xml of an event. See: https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-schema
type Execution ¶ added in v0.89.0
type Execution struct {
// ProcessID and ThreadID are required on execution info
ProcessID uint `xml:"ProcessID,attr"`
ThreadID uint `xml:"ThreadID,attr"`
// These remaining fields are all optional for execution info
ProcessorID *uint `xml:"ProcessorID,attr"`
SessionID *uint `xml:"SessionID,attr"`
KernelTime *uint `xml:"KernelTime,attr"`
UserTime *uint `xml:"UserTime,attr"`
ProcessorTime *uint `xml:"ProcessorTime,attr"`
}
Execution contains info pertaining to the process that triggered the event.
type ProcessingErrorData ¶ added in v0.149.0
type ProcessingErrorData struct {
ErrorCode uint32 `xml:"ErrorCode"`
DataItemName string `xml:"DataItemName"`
EventPayload string `xml:"EventPayload"`
}
ProcessingErrorData contains error information when an event cannot be rendered. https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-processingerrordata-eventtype-element
type Provider ¶
type Provider struct {
Name string `xml:"Name,attr"`
GUID string `xml:"Guid,attr"`
EventSourceName string `xml:"EventSourceName,attr"`
}
Provider is the provider of the event.
type RemoteConfig ¶ added in v0.107.0
type RemoteConfig struct {
Server string `mapstructure:"server"`
Username string `mapstructure:"username"`
Password string `mapstructure:"password"`
Domain string `mapstructure:"domain,omitempty"`
}
RemoteConfig is the configuration for a remote server.
type RenderingInfo ¶ added in v0.149.0
type RenderingInfo struct {
Culture string `xml:"Culture,attr"`
Message string `xml:"Message"`
Level string `xml:"Level"`
Task string `xml:"Task"`
Opcode string `xml:"Opcode"`
Channel string `xml:"Channel"`
Provider string `xml:"Provider"`
Keywords []string `xml:"Keywords>Keyword"`
}
RenderingInfo contains human-readable strings for event fields, populated when the event is rendered with a publisher metadata (RenderDeep path). https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-renderinginfotype-complextype
type Security ¶ added in v0.89.0
type Security struct {
UserID string `xml:"UserID,attr"`
}
Security contains info pertaining to the user triggering the event.
type TimeCreated ¶
type TimeCreated struct {
SystemTime string `xml:"SystemTime,attr"`
}
TimeCreated is the creation time of the event.
type UserData ¶ added in v0.149.0
type UserData struct {
// Name is the local name of the first child element, which identifies the event type.
Name string
// Data holds the key-value pairs parsed from the first child element's children.
Data map[string]string
}
UserData contains provider-defined event data as an alternative to EventData. The structure is arbitrary and defined by each provider's XML manifest. https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-userdatatype-complextype
func (*UserData) UnmarshalXML ¶ added in v0.149.0
UnmarshalXML implements xml.Unmarshaler for UserData. It reads the first child element and collects its direct children as key-value pairs.
Source Files