logger

package
v1.8.0-beta.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 28, 2021 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// IndexExt is the file extension used for index files
	IndexExt = ".index"
	// IndexedLogfileExt is the file extension used by logfiles
	IndexedLogfileExt = ".gz"

	// DefaultLogPerm default logfile permission for Manager
	DefaultLogPerm = 0600
)
View Source 
const (
	MaxOpenedLogfile = 1024
)

Variables

View Source 
var (
	TimeFormat  = time.RFC3339Nano
	IndexHeader = "Start,Stop,Offset,EventCount"
)

Functions

func ArchiveFilename 

func ArchiveFilename(path string) string

ArchiveFilename returns a standardized name to archive and IndexedLogfile

func IndexFileFromPath 

func IndexFileFromPath(path string) string

IndexFileFromPath returns a standardized IndexFile name from a path

func RemoveIndexedLogfile 

func RemoveIndexedLogfile(path string) (lastErr error)

RemoveIndexedLogfile removes both an IndexLogfile and its associated IndexFile

func RenameIndexedLogfile 

func RenameIndexedLogfile(old, new string) (lastErr error)

RenameIndexedLogfile renames both an IndexLogfile and its associated IndexFile

Types

type EventLogger 

type EventLogger struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

EventLogger structure used to log EDR events

func NewEventLogger 

func NewEventLogger(root, base string, size int64) *EventLogger

NewEventLogger creates a new EventLogger

func (*EventLogger) Close 

func (l *EventLogger) Close() (lastErr error)

Close closes an EventLogger

func (*EventLogger) CommitTransaction 

func (l *EventLogger) CommitTransaction() (lastErr error)

CommitTransaction commits a transaction leaving the place for a new one. A transaction needs to be committed before a new one can be initialized and used.

func (*EventLogger) CountFiles 

func (l *EventLogger) CountFiles() int

CountFiles returns the count of opened IndexedFiles

func (*EventLogger) InitTransaction 

func (l *EventLogger) InitTransaction() (id TransactionId)

InitTransaction initializes a new logging transaction only attempts to use WriteEvent with the proper id will succeed

func (*EventLogger) WriteEvent 

func (l *EventLogger) WriteEvent(id TransactionId, key string, evt *evtx.GoEvtxMap) (n int, err error)

WriteEvent writes an event to an IndexedLogfile chosen according to the internal algorithm of the EventLogger

type EventSearcher 

type EventSearcher struct {
	sync.Mutex
	// contains filtered or unexported fields
}

EventSearcher is used to search for events accross the file system

func NewEventSearcher 

func NewEventSearcher(root string) (s *EventSearcher)

NewEventSearcher creates a new EventSearcher structure to be used to search logs

func (*EventSearcher) Close 

func (s *EventSearcher) Close() (lastErr error)

Close closes all the opened IndexedLogfile

func (*EventSearcher) Err 

func (s *EventSearcher) Err() error

Err returns any error which happened during a call to Events function

func (*EventSearcher) Events 

func (s *EventSearcher) Events(start, stop time.Time, key string, count, skip int) (c chan *RawEvent)

Events returns a channel of RawEvents

type IndexEntry 

type IndexEntry struct {
	Start      time.Time `json:"start"`
	Stop       time.Time `json:"stop"`
	Offset     int64     `json:"offset"`
	EventCount int64     `json:"count"`
	// contains filtered or unexported fields
}

IndexEntry represents encodes information about the events written in an IndexedLogfile

func IndexEntryFromCSV 

func IndexEntryFromCSV(line string) (ie *IndexEntry, err error)

IndexEntryFromCSV returns an IndexEntry from a CSV line

func (*IndexEntry) Before 

func (i *IndexEntry) Before(other *IndexEntry) bool

Before returns true if index is before another

func (*IndexEntry) Contains 

func (i *IndexEntry) Contains(ts time.Time) bool

Contains returns true if time is in between entry start and stop

func (*IndexEntry) In 

func (i *IndexEntry) In(start time.Time, stop time.Time) bool

In returns true if entry is fully in time range start < entry < stop

func (*IndexEntry) Less 

func (i *IndexEntry) Less(other *datastructs.Sortable) bool

Implements datastructs.Sortable interface

func (*IndexEntry) Overlaps 

func (i *IndexEntry) Overlaps(start time.Time, stop time.Time) bool

Overlaps returns true if entry has overlapping time with time range

func (*IndexEntry) ToCSV 

func (i *IndexEntry) ToCSV() string

ToCSV marshals an IndexEntry to CSV data

func (*IndexEntry) UpdateTime 

func (i *IndexEntry) UpdateTime(t time.Time)

UpdateTime must be used to update the Start and Stop timestamps of the IndexEntry structure

type IndexFile 

type IndexFile struct {
	// contains filtered or unexported fields
}

IndexFile represents an opened index file

func OpenIndexFile 

func OpenIndexFile(path string) (inf *IndexFile, err error)

OpenIndexFile opens an index file from a path

func (*IndexFile) Close 

func (inf *IndexFile) Close() error

Close closes the underlying file descriptor

func (*IndexFile) LogfilePath 

func (inf *IndexFile) LogfilePath() string

LogfilePaths returns the name of the IndexedLogFile associated to the IndexFile

func (*IndexFile) Next 

func (inf *IndexFile) Next() (ie *IndexEntry, err error)

Next returns the next IndexEntry stop condition if ie == nil or err != nil

type IndexedLogfile 

type IndexedLogfile struct {
	sync.Mutex
	// contains filtered or unexported fields
}

IndexedLogfile structure

func OpenIndexedLogfile 

func OpenIndexedLogfile(path string) (l *IndexedLogfile, err error)

OpenIndexedLogfile opens an IndexedLogfile

func (*IndexedLogfile) Close 

func (f *IndexedLogfile) Close() (err error)

Close flushes and closes an IndexedLogfile

func (*IndexedLogfile) Flush 

func (f *IndexedLogfile) Flush() (err error)

Flush flushes the IndexedLogfile to disk

func (*IndexedLogfile) IndexFile 

func (f *IndexedLogfile) IndexFile() string

IndexFile returns the path of the IndexFile associated to the IndexedLogfile

func (*IndexedLogfile) ReadRawEvents 

func (f *IndexedLogfile) ReadRawEvents(offset int64, n int64) (events []*RawEvent, err error)

ReadRawEvents reads n RawEvents located at offset in IndexedLogfile

func (*IndexedLogfile) Size 

func (f *IndexedLogfile) Size() (size int64, err error)

Size returns the size of the IndexedLogfile

func (*IndexedLogfile) WriteRawEvent 

func (f *IndexedLogfile) WriteRawEvent(e *RawEvent) (n int, err error)

WriteRawEvent writes a RawEvent in IndexLogfile taking the event timestamp as reference time

func (*IndexedLogfile) WriteRawEventWithTimestamp 

func (f *IndexedLogfile) WriteRawEventWithTimestamp(e *RawEvent, timestamp time.Time) (n int, err error)

WriteRawEventWithTimestamp writes a RawEvent with an associated event timestamp in the IndexLogfile

type RawEvent 

type RawEvent struct {
	Timestamp time.Time
	// contains filtered or unexported fields
}

func DecodeRawEvent 

func DecodeRawEvent(b []byte) (r *RawEvent, err error)

func NewRawEvent 

func NewRawEvent(e *evtx.GoEvtxMap) (r *RawEvent, err error)

func (*RawEvent) Encode 

func (e *RawEvent) Encode() []byte

func (*RawEvent) Event 

func (e *RawEvent) Event() (evt evtx.GoEvtxMap, err error)

func (*RawEvent) Less 

func (e *RawEvent) Less(other *datastructs.Sortable) bool

type TransactionId 

type TransactionId uint64

TransactionId type to identify a logging session

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.