github.com/observiq/carbon@v0.9.11-0.20200820160507-1b872e368a5e/operator/builtin/input/windows/api.go

github.com/observiq/carbon@v0.9.11-0.20200820160507-1b872e368a5e/operator/builtin/input/windows/api.go (about)

     1  // +build windows
     2  
     3  package windows
     4  
     5  import (
     6  	"syscall"
     7  	"unsafe"
     8  
     9  	"golang.org/x/sys/windows"
    10  )
    11  
    12  var (
    13  	api = windows.NewLazySystemDLL("wevtapi.dll")
    14  
    15  	subscribeProc             SyscallProc = api.NewProc("EvtSubscribe")
    16  	nextProc                  SyscallProc = api.NewProc("EvtNext")
    17  	renderProc                SyscallProc = api.NewProc("EvtRender")
    18  	closeProc                 SyscallProc = api.NewProc("EvtClose")
    19  	createBookmarkProc        SyscallProc = api.NewProc("EvtCreateBookmark")
    20  	updateBookmarkProc        SyscallProc = api.NewProc("EvtUpdateBookmark")
    21  	openPublisherMetadataProc SyscallProc = api.NewProc("EvtOpenPublisherMetadata")
    22  	formatMessageProc         SyscallProc = api.NewProc("EvtFormatMessage")
    23  )
    24  
    25  // SyscallProc is a syscall procedure.
    26  type SyscallProc interface {
    27  	Call(...uintptr) (uintptr, uintptr, error)
    28  }
    29  
    30  const (
    31  	// EvtSubscribeToFutureEvents is a flag that will subscribe to only future events.
    32  	EvtSubscribeToFutureEvents uint32 = 1
    33  	// EvtSubscribeStartAtOldestRecord is a flag that will subscribe to all existing and future events.
    34  	EvtSubscribeStartAtOldestRecord uint32 = 2
    35  	// EvtSubscribeStartAfterBookmark is a flag that will subscribe to all events that begin after a bookmark.
    36  	EvtSubscribeStartAfterBookmark uint32 = 3
    37  )
    38  
    39  const (
    40  	// ErrorSuccess is an error code that indicates the operation completed successfully.
    41  	ErrorSuccess syscall.Errno = 0
    42  	// ErrorNotSupported is an error code that indicates the operation is not supported.
    43  	ErrorNotSupported syscall.Errno = 50
    44  	// ErrorInsufficientBuffer is an error code that indicates the data area passed to a system call is too small
    45  	ErrorInsufficientBuffer syscall.Errno = 122
    46  	// ErrorNoMoreItems is an error code that indicates no more items are available.
    47  	ErrorNoMoreItems syscall.Errno = 259
    48  	// ErrorInvalidOperation is an error code that indicates the operation identifier is not valid
    49  	ErrorInvalidOperation syscall.Errno = 4317
    50  )
    51  
    52  const (
    53  	// EvtFormatMessageXML is flag that formats a message as an XML string that contains all event details and message strings.
    54  	EvtFormatMessageXML uint32 = 9
    55  )
    56  
    57  const (
    58  	// EvtRenderEventXML is a flag to render an event as an XML string
    59  	EvtRenderEventXML uint32 = 1
    60  	// EvtRenderBookmark is a flag to render a bookmark as an XML string
    61  	EvtRenderBookmark uint32 = 2
    62  )
    63  
    64  // evtSubscribe is the direct syscall implementation of EvtSubscribe (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe)
    65  func evtSubscribe(session uintptr, signalEvent windows.Handle, channelPath *uint16, query *uint16, bookmark uintptr, context uintptr, callback uintptr, flags uint32) (uintptr, error) {
    66  	handle, _, err := subscribeProc.Call(session, uintptr(signalEvent), uintptr(unsafe.Pointer(channelPath)), uintptr(unsafe.Pointer(query)), bookmark, context, callback, uintptr(flags))
    67  	if err != ErrorSuccess {
    68  		return 0, err
    69  	}
    70  
    71  	return handle, nil
    72  }
    73  
    74  // evtNext is the direct syscall implementation of EvtNext (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtnext)
    75  func evtNext(resultSet uintptr, eventsSize uint32, events *uintptr, timeout uint32, flags uint32, returned *uint32) error {
    76  	_, _, err := nextProc.Call(resultSet, uintptr(eventsSize), uintptr(unsafe.Pointer(events)), uintptr(timeout), uintptr(flags), uintptr(unsafe.Pointer(returned)))
    77  	if err != ErrorSuccess {
    78  		return err
    79  	}
    80  
    81  	return nil
    82  }
    83  
    84  // evtRender is the direct syscall implementation of EvtRender (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender)
    85  func evtRender(context uintptr, fragment uintptr, flags uint32, bufferSize uint32, buffer *byte, bufferUsed *uint32, propertyCount *uint32) error {
    86  	_, _, err := renderProc.Call(context, fragment, uintptr(flags), uintptr(bufferSize), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferUsed)), uintptr(unsafe.Pointer(propertyCount)))
    87  	if err != ErrorSuccess {
    88  		return err
    89  	}
    90  
    91  	return nil
    92  }
    93  
    94  // evtClose is the direct syscall implementation of EvtClose (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtclose)
    95  func evtClose(handle uintptr) error {
    96  	_, _, err := closeProc.Call(handle)
    97  	if err != ErrorSuccess {
    98  		return err
    99  	}
   100  
   101  	return nil
   102  }
   103  
   104  // evtCreateBookmark is the direct syscall implementation of EvtCreateBookmark (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtcreatebookmark)
   105  func evtCreateBookmark(bookmarkXML *uint16) (uintptr, error) {
   106  	handle, _, err := createBookmarkProc.Call(uintptr(unsafe.Pointer(bookmarkXML)))
   107  	if err != ErrorSuccess {
   108  		return 0, err
   109  	}
   110  
   111  	return handle, nil
   112  }
   113  
   114  // evtUpdateBookmark is the direct syscall implementation of EvtUpdateBookmark (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtcreatebookmark)
   115  func evtUpdateBookmark(bookmark uintptr, event uintptr) error {
   116  	_, _, err := updateBookmarkProc.Call(bookmark, event)
   117  	if err != ErrorSuccess {
   118  		return err
   119  	}
   120  
   121  	return nil
   122  }
   123  
   124  // evtOpenPublisherMetadata is the direct syscall implementation of EvtOpenPublisherMetadata (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtopenpublishermetadata)
   125  func evtOpenPublisherMetadata(session uintptr, publisherIdentity *uint16, logFilePath *uint16, locale uint32, flags uint32) (uintptr, error) {
   126  	handle, _, err := openPublisherMetadataProc.Call(session, uintptr(unsafe.Pointer(publisherIdentity)), uintptr(unsafe.Pointer(logFilePath)), uintptr(locale), uintptr(flags))
   127  	if err != ErrorSuccess {
   128  		return 0, err
   129  	}
   130  
   131  	return handle, nil
   132  }
   133  
   134  // evtFormatMessage is the direct syscall implementation of EvtFormatMessage (https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtformatmessage)
   135  func evtFormatMessage(publisherMetadata uintptr, event uintptr, messageID uint32, valueCount uint32, values uintptr, flags uint32, bufferSize uint32, buffer *byte, bufferUsed *uint32) error {
   136  	_, _, err := formatMessageProc.Call(publisherMetadata, event, uintptr(messageID), uintptr(valueCount), values, uintptr(flags), uintptr(bufferSize), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(bufferUsed)))
   137  	if err != ErrorSuccess {
   138  		return err
   139  	}
   140  
   141  	return nil
   142  }