github.com/yankunsam/loki/v2@v2.6.3-0.20220817130409-389df5235c27/clients/pkg/promtail/targets/windows/format.go (about) 1 //go:build windows 2 // +build windows 3 4 package windows 5 6 import ( 7 "fmt" 8 "syscall" 9 10 jsoniter "github.com/json-iterator/go" 11 12 "github.com/grafana/loki/clients/pkg/promtail/scrapeconfig" 13 "github.com/grafana/loki/clients/pkg/promtail/targets/windows/win_eventlog" 14 ) 15 16 type Event struct { 17 Source string `json:"source,omitempty"` 18 Channel string `json:"channel,omitempty"` 19 Computer string `json:"computer,omitempty"` 20 EventID int `json:"event_id,omitempty"` 21 Version int `json:"version,omitempty"` 22 23 Level int `json:"level,omitempty"` 24 Task int `json:"task,omitempty"` 25 Opcode int `json:"opCode,omitempty"` 26 27 LevelText string `json:"levelText,omitempty"` 28 TaskText string `json:"taskText,omitempty"` 29 OpcodeText string `json:"opCodeText,omitempty"` 30 31 Keywords string `json:"keywords,omitempty"` 32 TimeCreated string `json:"timeCreated,omitempty"` 33 EventRecordID int `json:"eventRecordID,omitempty"` 34 Correlation *Correlation `json:"correlation,omitempty"` 35 Execution *Execution `json:"execution,omitempty"` 36 37 Security *Security `json:"security,omitempty"` 38 UserData string `json:"user_data,omitempty"` 39 EventData string `json:"event_data,omitempty"` 40 Message string `json:"message,omitempty"` 41 } 42 43 type Security struct { 44 UserID string `json:"userId,omitempty"` 45 UserName string `json:"userName,omitempty"` 46 } 47 48 type Execution struct { 49 ProcessID uint32 `json:"processId,omitempty"` 50 ThreadID uint32 `json:"threadId,omitempty"` 51 ProcessName string `json:"processName,omitempty"` 52 } 53 54 type Correlation struct { 55 ActivityID string `json:"activityID,omitempty"` 56 RelatedActivityID string `json:"relatedActivityID,omitempty"` 57 } 58 59 // formatLine format a Loki log line from a windows event. 60 func formatLine(cfg *scrapeconfig.WindowsEventsTargetConfig, event win_eventlog.Event) (string, error) { 61 structuredEvent := Event{ 62 Source: event.Source.Name, 63 Channel: event.Channel, 64 Computer: event.Computer, 65 EventID: event.EventID, 66 Version: event.Version, 67 Level: event.Level, 68 Task: event.Task, 69 Opcode: event.Opcode, 70 LevelText: event.LevelText, 71 TaskText: event.TaskText, 72 OpcodeText: event.OpcodeText, 73 Keywords: event.Keywords, 74 TimeCreated: event.TimeCreated.SystemTime, 75 EventRecordID: event.EventRecordID, 76 Message: event.Message, 77 } 78 79 if !cfg.ExcludeEventData { 80 structuredEvent.EventData = string(event.EventData.InnerXML) 81 } 82 if !cfg.ExcludeUserData { 83 structuredEvent.UserData = string(event.EventData.InnerXML) 84 } 85 if event.Correlation.ActivityID != "" || event.Correlation.RelatedActivityID != "" { 86 structuredEvent.Correlation = &Correlation{ 87 ActivityID: event.Correlation.ActivityID, 88 RelatedActivityID: event.Correlation.RelatedActivityID, 89 } 90 } 91 // best effort to get the username of the event. 92 if event.Security.UserID != "" { 93 var userName string 94 usid, err := syscall.StringToSid(event.Security.UserID) 95 if err == nil { 96 username, domain, _, err := usid.LookupAccount("") 97 if err == nil { 98 userName = fmt.Sprint(domain, "\\", username) 99 } 100 } 101 structuredEvent.Security = &Security{ 102 UserID: event.Security.UserID, 103 UserName: userName, 104 } 105 } 106 if event.Execution.ProcessID != 0 { 107 structuredEvent.Execution = &Execution{ 108 ProcessID: event.Execution.ProcessID, 109 ThreadID: event.Execution.ThreadID, 110 } 111 _, _, processName, err := win_eventlog.GetFromSnapProcess(event.Execution.ProcessID) 112 if err == nil { 113 structuredEvent.Execution.ProcessName = processName 114 } 115 } 116 return jsoniter.MarshalToString(structuredEvent) 117 }