evtapi

package

v0.73.2 Latest Latest Go to latest Published: Dec 23, 2025 License: Apache-2.0 Imports: 2 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/DataDog/datadog-agent

Links

Open Source Insights

Documentation ¶

Rendered for windows/amd64

Overview ¶

Package evtapi defines the interface and common types for interacting with the Windows Event Log API from Golang

Index ¶

Constants
func EvtCloseBookmark(api API, h EventBookmarkHandle)
func EvtClosePublisherMetadata(api API, h EventPublisherMetadataHandle)
func EvtCloseRecord(api API, h EventRecordHandle)
func EvtCloseRenderContext(api API, h EventRenderContextHandle)
func EvtCloseResultSet(api API, h EventResultSetHandle)
func EvtCloseSession(api API, h EventSessionHandle)
type API
type EventBookmarkHandle
type EventPublisherMetadataHandle
type EventRecord
type EventRecordHandle
type EventRenderContextHandle
type EventResultSetHandle
type EventSessionHandle
type EventSourceHandle
type EvtVariantValues
type WaitEventHandle

Constants ¶

View Source

const (
	EvtSubscribeToFutureEvents      = 1
	EvtSubscribeStartAtOldestRecord = 2
	EvtSubscribeStartAfterBookmark  = 3
	EvtSubscribeOriginMask          = 3
	EvtSubscribeTolerateQueryErrors = 0x1000
	EvtSubscribeStrict              = 0x10000
)

EVT_SUBSCRIBE_FLAGS https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_subscribe_flags

View Source

const (
	EvtRenderContextValues = iota
	EvtRenderContextSystem
	EvtRenderContextUser
)

EVT_RENDER_CONTEXT_FLAGS https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_render_context_flags

View Source

const (
	EvtRenderEventValues = iota
	EvtRenderEventXml
	EvtRenderBookmark
)

EVT_RENDER_FLAGS https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_render_flags

View Source

const (
	EvtVarTypeNull       = 0
	EvtVarTypeString     = 1
	EvtVarTypeAnsiString = 2
	EvtVarTypeSByte      = 3
	EvtVarTypeByte       = 4
	EvtVarTypeInt16      = 5
	EvtVarTypeUInt16     = 6
	EvtVarTypeInt32      = 7
	EvtVarTypeUInt32     = 8
	EvtVarTypeInt64      = 9
	EvtVarTypeUInt64     = 10
	EvtVarTypeSingle     = 11
	EvtVarTypeDouble     = 12
	EvtVarTypeBoolean    = 13
	EvtVarTypeBinary     = 14
	EvtVarTypeGuid       = 15
	EvtVarTypeSizeT      = 16
	EvtVarTypeFileTime   = 17
	EvtVarTypeSysTime    = 18
	EvtVarTypeSid        = 19
	EvtVarTypeHexInt32   = 20
	EvtVarTypeHexInt64   = 21
	EvtVarTypeEvtHandle  = 32
	EvtVarTypeEvtXml     = 35
)

EVT_VARIANT_TYPE https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_variant_type

View Source

const (
	EvtSystemProviderName = iota
	EvtSystemProviderGuid
	EvtSystemEventID
	EvtSystemQualifiers
	EvtSystemLevel
	EvtSystemTask
	EvtSystemOpcode
	EvtSystemKeywords
	EvtSystemTimeCreated
	EvtSystemEventRecordId
	EvtSystemActivityID
	EvtSystemRelatedActivityID
	EvtSystemProcessID
	EvtSystemThreadID
	EvtSystemChannel
	EvtSystemComputer
	EvtSystemUserID
	EvtSystemVersion
	EvtSystemPropertyIdEND
)

EVT_SYSTEM_PROPERTY_ID https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_system_property_id

View Source

const (
	EvtFormatMessageEvent = iota + 1
	EvtFormatMessageLevel
	EvtFormatMessageTask
	EvtFormatMessageOpcode
	EvtFormatMessageKeyword
	EvtFormatMessageChannel
	EvtFormatMessageProvider
	EvtFormatMessageId
	EvtFormatMessageXml
)

EVT_FORMAT_MESSAGE_FLAGS https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_format_message_flags

View Source

const (
	EvtRpcLoginAuthDefault = iota
	EvtRpcLoginAuthNegotiate
	EvtRpcLoginAuthKerberos
	EvtRpcLoginAuthNTLM
)

EVT_RPC_LOGIN_FLAGS https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags

View Source

const (
	EvtQueryChannelPath         = 0x1
	EvtQueryFilePath            = 0x2
	EvtQueryForwardDirection    = 0x100
	EvtQueryReverseDirection    = 0x200
	EvtQueryTolerateQueryErrors = 0x1000
)

EVT_QUERY_FLAGS https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags

Variables ¶

This section is empty.

Functions ¶

func EvtCloseBookmark ¶

func EvtCloseBookmark(api API, h EventBookmarkHandle)

EvtCloseBookmark closes EventBookmarkHandle

func EvtClosePublisherMetadata ¶

func EvtClosePublisherMetadata(api API, h EventPublisherMetadataHandle)

EvtClosePublisherMetadata closes EventPublisherMetadataHandle

func EvtCloseRecord ¶

func EvtCloseRecord(api API, h EventRecordHandle)

EvtCloseRecord closes EventRecordHandle

func EvtCloseRenderContext ¶

func EvtCloseRenderContext(api API, h EventRenderContextHandle)

EvtCloseRenderContext closes EventRenderContextHandle

func EvtCloseResultSet ¶

func EvtCloseResultSet(api API, h EventResultSetHandle)

EvtCloseResultSet closes EventResultSetHandle

func EvtCloseSession ¶

func EvtCloseSession(api API, h EventSessionHandle)

EvtCloseSession closes EventSessionHandle

Types ¶

type API ¶

type API interface {
	EvtSubscribe(
		Session EventSessionHandle,
		SignalEvent WaitEventHandle,
		ChannelPath string,
		Query string,
		Bookmark EventBookmarkHandle,
		Flags uint) (EventResultSetHandle, error)

	EvtNext(
		Session EventResultSetHandle,
		EventsArray []EventRecordHandle,
		EventsSize uint,
		Timeout uint) ([]EventRecordHandle, error)

	EvtClose(h windows.Handle)

	// EvtQuery queries an event log for events that match specified criteria
	// https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtquery
	EvtQuery(
		Session EventSessionHandle,
		Path string,
		Query string,
		Flags uint) (EventResultSetHandle, error)

	EvtRenderEventXml(Fragment EventRecordHandle) ([]uint16, error)

	EvtRenderBookmark(Fragment EventBookmarkHandle) ([]uint16, error)

	EvtCreateRenderContext(ValuePaths []string, Flags uint) (EventRenderContextHandle, error)

	// Note: Must call .Close() on the return value when done using it
	EvtRenderEventValues(Context EventRenderContextHandle, Fragment EventRecordHandle) (EvtVariantValues, error)

	EvtCreateBookmark(BookmarkXML string) (EventBookmarkHandle, error)

	EvtUpdateBookmark(Bookmark EventBookmarkHandle, Event EventRecordHandle) error

	EvtOpenPublisherMetadata(
		PublisherID string,
		LogFilePath string) (EventPublisherMetadataHandle, error)

	EvtFormatMessage(
		PublisherMetadata EventPublisherMetadataHandle,
		Event EventRecordHandle,
		MessageID uint,
		Values EvtVariantValues,
		Flags uint) (string, error)

	EvtOpenSession(
		Server string,
		User string,
		Domain string,
		Password string,
		Flags uint,
	) (EventSessionHandle, error)

	// Windows Event Logging methods
	RegisterEventSource(SourceName string) (EventSourceHandle, error)

	DeregisterEventSource(EventLog EventSourceHandle) error

	EvtClearLog(ChannelPath string) error

	ReportEvent(
		EventLog EventSourceHandle,
		Type uint,
		Category uint,
		EventID uint,
		UserSID *windows.SID,
		Strings []string,
		RawData []uint8) error
}

API is an interface for Windows Event Log API methods https://learn.microsoft.com/en-us/windows/win32/wes/windows-event-log-functions

type EventBookmarkHandle ¶

type EventBookmarkHandle windows.Handle

EventBookmarkHandle is a typed windows.Handle returned from EvtCreateBookmark

type EventPublisherMetadataHandle ¶

type EventPublisherMetadataHandle windows.Handle

EventPublisherMetadataHandle is a typed windows.Handle returned from EvtOpenPublisherMetadata

type EventRecord ¶

type EventRecord struct {
	EventRecordHandle EventRecordHandle
}

EventRecord is a light wrapper around EventRecordHandle for now. In the future it may contain other fields to assist in event rendering.

type EventRecordHandle ¶

type EventRecordHandle windows.Handle

EventRecordHandle is a typed windows.Handle returned from EvtNext

type EventRenderContextHandle ¶

type EventRenderContextHandle windows.Handle

EventRenderContextHandle is a typed windows.Handle returned from EvtCreateRenderContext

type EventResultSetHandle ¶

type EventResultSetHandle windows.Handle

EventResultSetHandle is a typed windows.Handle returned from EvtQuery and EvtSubscribe

type EventSessionHandle ¶

type EventSessionHandle windows.Handle

EventSessionHandle is a typed windows.Handle returned from EvtOpenSession

type EventSourceHandle ¶

type EventSourceHandle windows.Handle

EventSourceHandle is a typed windows.Handle returned from RegisterEventSource

type EvtVariantValues ¶

type EvtVariantValues interface {
	// Each type method accepts an index argument that determines which element in the
	// array to return.
	String(uint) (string, error)

	UInt(uint) (uint64, error)

	// Returns unix timestamp in seconds
	Time(uint) (int64, error)

	// Returns a SID
	SID(uint) (*windows.SID, error)

	// Returns the EVT_VARIANT_TYPE of the element at index
	Type(uint) (uint, error)

	// Buffer to raw EVT_VARIANT buffer
	Buffer() unsafe.Pointer

	// The number of values
	Count() uint

	// Free resources
	Close()
}

EvtVariantValues is returned from EvtRenderEventValues https://learn.microsoft.com/en-us/windows/win32/api/winevt/ns-winevt-evt_variant

type WaitEventHandle ¶

type WaitEventHandle windows.Handle

WaitEventHandle is a typed windows.Handle returned from CreateEvent

Source Files ¶

View all Source files

types.go

Directories ¶

Path	Synopsis
fake Package fakeevtapi is a fake implementation of the Windows Event Log API intended to be used in tests.	Package fakeevtapi is a fake implementation of the Windows Event Log API intended to be used in tests.
windows Package winevtapi implements the evtapi.API interface with the Windows Event Log API	Package winevtapi implements the evtapi.API interface with the Windows Event Log API

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL