2021-08-24 04:37:44 +08:00
|
|
|
//go:build windows
|
2020-09-29 06:15:28 +08:00
|
|
|
|
|
|
|
|
// Package win_eventlog Input plugin to collect Windows Event Log messages
|
2022-09-09 02:49:36 +08:00
|
|
|
//
|
|
|
|
|
//revive:disable-next-line:var-naming
|
2020-09-29 06:15:28 +08:00
|
|
|
package win_eventlog
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"syscall"
|
|
|
|
|
"unsafe"
|
|
|
|
|
|
|
|
|
|
"golang.org/x/sys/windows"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var _ unsafe.Pointer
|
|
|
|
|
|
|
|
|
|
// EvtHandle uintptr
|
|
|
|
|
type EvtHandle uintptr
|
|
|
|
|
|
|
|
|
|
// Do the interface allocations only once for common
|
|
|
|
|
// Errno values.
|
|
|
|
|
const (
|
|
|
|
|
//revive:disable-next-line:var-naming
|
|
|
|
|
errnoERROR_IO_PENDING = 997
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
//revive:disable-next-line:var-naming
|
|
|
|
|
errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// EvtFormatMessageFlag defines the values that specify the message string from
|
|
|
|
|
// the event to format.
|
|
|
|
|
type EvtFormatMessageFlag uint32
|
|
|
|
|
|
|
|
|
|
// EVT_FORMAT_MESSAGE_FLAGS enumeration
|
|
|
|
|
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa385525(v=vs.85).aspx
|
|
|
|
|
const (
|
2023-04-25 17:29:23 +08:00
|
|
|
// EvtFormatMessageEvent - Format the event's message string.
|
2020-09-29 06:15:28 +08:00
|
|
|
EvtFormatMessageEvent EvtFormatMessageFlag = iota + 1
|
2023-04-25 17:29:23 +08:00
|
|
|
// EvtFormatMessageLevel - Format the message string of the level specified in the event.
|
2020-09-29 06:15:28 +08:00
|
|
|
EvtFormatMessageLevel
|
2023-04-25 17:29:23 +08:00
|
|
|
// EvtFormatMessageTask - Format the message string of the task specified in the event.
|
2020-09-29 06:15:28 +08:00
|
|
|
EvtFormatMessageTask
|
2023-04-25 17:29:23 +08:00
|
|
|
// EvtFormatMessageOpcode - Format the message string of the task specified in the event.
|
2020-09-29 06:15:28 +08:00
|
|
|
EvtFormatMessageOpcode
|
2023-04-25 17:29:23 +08:00
|
|
|
// EvtFormatMessageKeyword - Format the message string of the keywords specified in the event. If the
|
|
|
|
|
// event specifies multiple keywords, the formatted string is a list of null-terminated strings.
|
|
|
|
|
// Increment through the strings until your pointer points past the end of the used buffer.
|
2020-09-29 06:15:28 +08:00
|
|
|
EvtFormatMessageKeyword
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// errnoErr returns common boxed Errno values, to prevent
|
|
|
|
|
// allocations at runtime.
|
|
|
|
|
func errnoErr(e syscall.Errno) error {
|
|
|
|
|
switch e {
|
|
|
|
|
case 0:
|
|
|
|
|
return nil
|
|
|
|
|
case errnoERROR_IO_PENDING:
|
|
|
|
|
return errERROR_IO_PENDING
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return e
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
modwevtapi = windows.NewLazySystemDLL("wevtapi.dll")
|
|
|
|
|
|
|
|
|
|
procEvtSubscribe = modwevtapi.NewProc("EvtSubscribe")
|
|
|
|
|
procEvtRender = modwevtapi.NewProc("EvtRender")
|
|
|
|
|
procEvtClose = modwevtapi.NewProc("EvtClose")
|
|
|
|
|
procEvtNext = modwevtapi.NewProc("EvtNext")
|
|
|
|
|
procEvtFormatMessage = modwevtapi.NewProc("EvtFormatMessage")
|
|
|
|
|
procEvtOpenPublisherMetadata = modwevtapi.NewProc("EvtOpenPublisherMetadata")
|
2023-03-08 02:53:25 +08:00
|
|
|
procEvtCreateBookmark = modwevtapi.NewProc("EvtCreateBookmark")
|
|
|
|
|
procEvtUpdateBookmark = modwevtapi.NewProc("EvtUpdateBookmark")
|
2020-09-29 06:15:28 +08:00
|
|
|
)
|
|
|
|
|
|
2023-06-09 16:24:43 +08:00
|
|
|
//nolint:revive //argument-limit conditionally more arguments allowed
|
2022-11-11 02:41:43 +08:00
|
|
|
func _EvtSubscribe(
|
|
|
|
|
session EvtHandle,
|
|
|
|
|
signalEvent uintptr,
|
|
|
|
|
channelPath *uint16,
|
|
|
|
|
query *uint16,
|
|
|
|
|
bookmark EvtHandle,
|
|
|
|
|
context uintptr,
|
|
|
|
|
callback syscall.Handle,
|
|
|
|
|
flags EvtSubscribeFlag,
|
2023-04-25 17:29:23 +08:00
|
|
|
) (EvtHandle, error) {
|
|
|
|
|
r0, _, e1 := syscall.SyscallN(
|
2022-11-11 02:41:43 +08:00
|
|
|
procEvtSubscribe.Addr(),
|
|
|
|
|
uintptr(session),
|
2023-04-25 17:29:23 +08:00
|
|
|
signalEvent,
|
2023-04-12 21:32:46 +08:00
|
|
|
uintptr(unsafe.Pointer(channelPath)), //nolint:gosec // G103: Valid use of unsafe call to pass channelPath
|
|
|
|
|
uintptr(unsafe.Pointer(query)), //nolint:gosec // G103: Valid use of unsafe call to pass query
|
2022-11-11 02:41:43 +08:00
|
|
|
uintptr(bookmark),
|
2023-04-25 17:29:23 +08:00
|
|
|
context,
|
2022-11-11 02:41:43 +08:00
|
|
|
uintptr(callback),
|
|
|
|
|
uintptr(flags),
|
|
|
|
|
)
|
2023-04-25 17:29:23 +08:00
|
|
|
|
|
|
|
|
var err error
|
|
|
|
|
handle := EvtHandle(r0)
|
2020-09-29 06:15:28 +08:00
|
|
|
if handle == 0 {
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
err = errnoErr(e1)
|
|
|
|
|
} else {
|
|
|
|
|
err = syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-25 17:29:23 +08:00
|
|
|
return handle, err
|
2020-09-29 06:15:28 +08:00
|
|
|
}
|
|
|
|
|
|
2023-06-09 16:24:43 +08:00
|
|
|
//nolint:revive //argument-limit conditionally more arguments allowed
|
2022-11-11 02:41:43 +08:00
|
|
|
func _EvtRender(
|
|
|
|
|
context EvtHandle,
|
|
|
|
|
fragment EvtHandle,
|
|
|
|
|
flags EvtRenderFlag,
|
|
|
|
|
bufferSize uint32,
|
|
|
|
|
buffer *byte,
|
|
|
|
|
bufferUsed *uint32,
|
|
|
|
|
propertyCount *uint32,
|
2023-04-25 17:29:23 +08:00
|
|
|
) error {
|
|
|
|
|
r1, _, e1 := syscall.SyscallN(
|
2022-11-11 02:41:43 +08:00
|
|
|
procEvtRender.Addr(),
|
|
|
|
|
uintptr(context),
|
|
|
|
|
uintptr(fragment),
|
|
|
|
|
uintptr(flags),
|
|
|
|
|
uintptr(bufferSize),
|
2023-04-12 21:32:46 +08:00
|
|
|
uintptr(unsafe.Pointer(buffer)), //nolint:gosec // G103: Valid use of unsafe call to pass buffer
|
|
|
|
|
uintptr(unsafe.Pointer(bufferUsed)), //nolint:gosec // G103: Valid use of unsafe call to pass bufferUsed
|
|
|
|
|
uintptr(unsafe.Pointer(propertyCount)), //nolint:gosec // G103: Valid use of unsafe call to pass propertyCount
|
2022-11-11 02:41:43 +08:00
|
|
|
)
|
2023-04-25 17:29:23 +08:00
|
|
|
|
|
|
|
|
var err error
|
2020-09-29 06:15:28 +08:00
|
|
|
if r1 == 0 {
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
err = errnoErr(e1)
|
|
|
|
|
} else {
|
|
|
|
|
err = syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-25 17:29:23 +08:00
|
|
|
return err
|
2020-09-29 06:15:28 +08:00
|
|
|
}
|
|
|
|
|
|
2023-04-25 17:29:23 +08:00
|
|
|
func _EvtClose(object EvtHandle) error {
|
|
|
|
|
r1, _, e1 := syscall.SyscallN(procEvtClose.Addr(), uintptr(object))
|
|
|
|
|
var err error
|
2020-09-29 06:15:28 +08:00
|
|
|
if r1 == 0 {
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
err = errnoErr(e1)
|
|
|
|
|
} else {
|
|
|
|
|
err = syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-25 17:29:23 +08:00
|
|
|
return err
|
2020-09-29 06:15:28 +08:00
|
|
|
}
|
|
|
|
|
|
2024-11-14 23:14:40 +08:00
|
|
|
func _EvtNext(resultSet EvtHandle, eventArraySize uint32, eventArray *EvtHandle, timeout, flags uint32, numReturned *uint32) error {
|
2023-04-25 17:29:23 +08:00
|
|
|
r1, _, e1 := syscall.SyscallN(
|
2022-11-11 02:41:43 +08:00
|
|
|
procEvtNext.Addr(),
|
|
|
|
|
uintptr(resultSet),
|
|
|
|
|
uintptr(eventArraySize),
|
2023-04-12 21:32:46 +08:00
|
|
|
uintptr(unsafe.Pointer(eventArray)), //nolint:gosec // G103: Valid use of unsafe call to pass eventArray
|
2022-11-11 02:41:43 +08:00
|
|
|
uintptr(timeout),
|
|
|
|
|
uintptr(flags),
|
2023-04-12 21:32:46 +08:00
|
|
|
uintptr(unsafe.Pointer(numReturned)), //nolint:gosec // G103: Valid use of unsafe call to pass numReturned
|
2022-11-11 02:41:43 +08:00
|
|
|
)
|
2023-04-25 17:29:23 +08:00
|
|
|
|
|
|
|
|
var err error
|
2020-09-29 06:15:28 +08:00
|
|
|
if r1 == 0 {
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
err = errnoErr(e1)
|
|
|
|
|
} else {
|
|
|
|
|
err = syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-25 17:29:23 +08:00
|
|
|
return err
|
2020-09-29 06:15:28 +08:00
|
|
|
}
|
|
|
|
|
|
2023-06-09 16:24:43 +08:00
|
|
|
//nolint:revive //argument-limit conditionally more arguments allowed
|
2022-11-11 02:41:43 +08:00
|
|
|
func _EvtFormatMessage(
|
|
|
|
|
publisherMetadata EvtHandle,
|
|
|
|
|
event EvtHandle,
|
|
|
|
|
messageID uint32,
|
|
|
|
|
valueCount uint32,
|
|
|
|
|
values uintptr,
|
|
|
|
|
flags EvtFormatMessageFlag,
|
|
|
|
|
bufferSize uint32,
|
|
|
|
|
buffer *byte,
|
|
|
|
|
bufferUsed *uint32,
|
2023-04-25 17:29:23 +08:00
|
|
|
) error {
|
|
|
|
|
r1, _, e1 := syscall.SyscallN(
|
2022-11-11 02:41:43 +08:00
|
|
|
procEvtFormatMessage.Addr(),
|
|
|
|
|
uintptr(publisherMetadata),
|
|
|
|
|
uintptr(event),
|
|
|
|
|
uintptr(messageID),
|
|
|
|
|
uintptr(valueCount),
|
2023-04-25 17:29:23 +08:00
|
|
|
values,
|
2022-11-11 02:41:43 +08:00
|
|
|
uintptr(flags),
|
|
|
|
|
uintptr(bufferSize),
|
2023-04-12 21:32:46 +08:00
|
|
|
uintptr(unsafe.Pointer(buffer)), //nolint:gosec // G103: Valid use of unsafe call to pass buffer
|
|
|
|
|
uintptr(unsafe.Pointer(bufferUsed)), //nolint:gosec // G103: Valid use of unsafe call to pass bufferUsed
|
2022-11-11 02:41:43 +08:00
|
|
|
)
|
2023-04-25 17:29:23 +08:00
|
|
|
|
|
|
|
|
var err error
|
2020-09-29 06:15:28 +08:00
|
|
|
if r1 == 0 {
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
err = errnoErr(e1)
|
|
|
|
|
} else {
|
|
|
|
|
err = syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-25 17:29:23 +08:00
|
|
|
return err
|
2020-09-29 06:15:28 +08:00
|
|
|
}
|
|
|
|
|
|
2024-11-14 23:14:40 +08:00
|
|
|
func _EvtOpenPublisherMetadata(session EvtHandle, publisherIdentity, logFilePath *uint16, locale, flags uint32) (EvtHandle, error) {
|
2023-04-25 17:29:23 +08:00
|
|
|
r0, _, e1 := syscall.SyscallN(
|
2022-11-11 02:41:43 +08:00
|
|
|
procEvtOpenPublisherMetadata.Addr(),
|
|
|
|
|
uintptr(session),
|
2023-04-12 21:32:46 +08:00
|
|
|
uintptr(unsafe.Pointer(publisherIdentity)), //nolint:gosec // G103: Valid use of unsafe call to pass publisherIdentity
|
|
|
|
|
uintptr(unsafe.Pointer(logFilePath)), //nolint:gosec // G103: Valid use of unsafe call to pass logFilePath
|
2022-11-11 02:41:43 +08:00
|
|
|
uintptr(locale),
|
|
|
|
|
uintptr(flags),
|
|
|
|
|
)
|
2023-04-25 17:29:23 +08:00
|
|
|
|
|
|
|
|
var err error
|
|
|
|
|
handle := EvtHandle(r0)
|
2020-09-29 06:15:28 +08:00
|
|
|
if handle == 0 {
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
err = errnoErr(e1)
|
|
|
|
|
} else {
|
|
|
|
|
err = syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-25 17:29:23 +08:00
|
|
|
return handle, err
|
2020-09-29 06:15:28 +08:00
|
|
|
}
|
2023-03-08 02:53:25 +08:00
|
|
|
|
|
|
|
|
func _EvtCreateBookmark(bookmarkXML *uint16) (EvtHandle, error) {
|
2023-04-12 21:32:46 +08:00
|
|
|
//nolint:gosec // G103: Valid use of unsafe call to pass bookmarkXML
|
2023-04-25 17:29:23 +08:00
|
|
|
r0, _, e1 := syscall.SyscallN(procEvtCreateBookmark.Addr(), uintptr(unsafe.Pointer(bookmarkXML)))
|
2023-03-08 02:53:25 +08:00
|
|
|
handle := EvtHandle(r0)
|
|
|
|
|
if handle != 0 {
|
|
|
|
|
return handle, nil
|
|
|
|
|
}
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
return handle, errnoErr(e1)
|
|
|
|
|
}
|
|
|
|
|
return handle, syscall.EINVAL
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func _EvtUpdateBookmark(bookmark, event EvtHandle) error {
|
2023-04-25 17:29:23 +08:00
|
|
|
r0, _, e1 := syscall.SyscallN(procEvtUpdateBookmark.Addr(), uintptr(bookmark), uintptr(event))
|
2023-03-08 02:53:25 +08:00
|
|
|
if r0 != 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
if e1 != 0 {
|
|
|
|
|
return errnoErr(e1)
|
|
|
|
|
}
|
|
|
|
|
return syscall.EINVAL
|
|
|
|
|
}
|
