github.com/observiq/carbon@v0.9.11-0.20200820160507-1b872e368a5e/operator/builtin/input/windows/xml.go

github.com/observiq/carbon@v0.9.11-0.20200820160507-1b872e368a5e/operator/builtin/input/windows/xml.go (about)

     1  // +build windows
     2  
     3  package windows
     4  
     5  import (
     6  	"encoding/xml"
     7  	"fmt"
     8  	"time"
     9  
    10  	"github.com/observiq/carbon/entry"
    11  )
    12  
    13  // EventXML is the rendered xml of an event.
    14  type EventXML struct {
    15  	EventID     EventID     `xml:"System>EventID"`
    16  	Provider    Provider    `xml:"System>Provider"`
    17  	Computer    string      `xml:"System>Computer"`
    18  	Channel     string      `xml:"System>Channel"`
    19  	RecordID    uint64      `xml:"System>EventRecordID"`
    20  	TimeCreated TimeCreated `xml:"System>TimeCreated"`
    21  	Message     string      `xml:"RenderingInfo>Message"`
    22  	Level       string      `xml:"RenderingInfo>Level"`
    23  	Task        string      `xml:"RenderingInfo>Task"`
    24  	Opcode      string      `xml:"RenderingInfo>Opcode"`
    25  	Keywords    []string    `xml:"RenderingInfo>Keywords>Keyword"`
    26  }
    27  
    28  // parseTimestamp will parse the timestamp of the event.
    29  func (e *EventXML) parseTimestamp() time.Time {
    30  	if timestamp, err := time.Parse(time.RFC3339Nano, e.TimeCreated.SystemTime); err == nil {
    31  		return timestamp
    32  	}
    33  	return time.Now()
    34  }
    35  
    36  // parseSeverity will parse the severity of the event.
    37  func (e *EventXML) parseSeverity() entry.Severity {
    38  	switch e.Level {
    39  	case "Critical":
    40  		return entry.Critical
    41  	case "Error":
    42  		return entry.Error
    43  	case "Warning":
    44  		return entry.Warning
    45  	case "Information":
    46  		return entry.Info
    47  	default:
    48  		return entry.Default
    49  	}
    50  }
    51  
    52  // parseRecord will parse a record from the event.
    53  func (e *EventXML) parseRecord() map[string]interface{} {
    54  	return map[string]interface{}{
    55  		"event_id": map[string]interface{}{
    56  			"qualifiers": e.EventID.Qualifiers,
    57  			"id":         e.EventID.ID,
    58  		},
    59  		"provider": map[string]interface{}{
    60  			"name":         e.Provider.Name,
    61  			"guid":         e.Provider.GUID,
    62  			"event_source": e.Provider.EventSourceName,
    63  		},
    64  		"system_time": e.TimeCreated.SystemTime,
    65  		"computer":    e.Computer,
    66  		"channel":     e.Channel,
    67  		"record_id":   e.RecordID,
    68  		"level":       e.Level,
    69  		"message":     e.Message,
    70  		"task":        e.Task,
    71  		"opcode":      e.Opcode,
    72  		"keywords":    e.Keywords,
    73  	}
    74  }
    75  
    76  // unmarshalEventXML will unmarshal EventXML from xml bytes.
    77  func unmarshalEventXML(bytes []byte) (EventXML, error) {
    78  	var eventXML EventXML
    79  	if err := xml.Unmarshal(bytes, &eventXML); err != nil {
    80  		return EventXML{}, fmt.Errorf("failed to unmarshal xml bytes into event: %s", err)
    81  	}
    82  	return eventXML, nil
    83  }
    84  
    85  // EventID is the identifier of the event.
    86  type EventID struct {
    87  	Qualifiers uint16 `xml:"Qualifiers,attr"`
    88  	ID         uint32 `xml:",chardata"`
    89  }
    90  
    91  // TimeCreated is the creation time of the event.
    92  type TimeCreated struct {
    93  	SystemTime string `xml:"SystemTime,attr"`
    94  }
    95  
    96  // Provider is the provider of the event.
    97  type Provider struct {
    98  	Name            string `xml:"Name,attr"`
    99  	GUID            string `xml:"Guid,attr"`
   100  	EventSourceName string `xml:"EventSourceName,attr"`
   101  }