windowsevent

package
v0.0.0-...-e476376 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 14, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Overview

Package windowsevent contains utilities to transform Windows Event Log XML messages into structured messages for Datadog Logs.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MapToMessage 

func MapToMessage(m *Map, source *sources.LogSource, processRawMessage bool) (*message.Message, error)

MapToMessage packages a Map into either an unstructured message.Message or a structured one.

Types

type Map 

type Map struct {
	mxj.Map
}

Map is a wrapper around mxj.Map that provides additional methods to manipulate the map as it is used in the context of Windows Event Log messages.

func NewMapXML 

func NewMapXML(eventXML []byte) (*Map, error)

NewMapXML converts Windows Event Log XML to a map and runs some transforms to normalize the data. All transforms are enabled by default for backwards compatibility.

Transforms:

  • Event.EventData.Data: Convert to a map if values are named, else to a list
  • Event.EventData.Binary: Convert to a string if it is a utf-16 string
  • Event.System.EventID: Separate the EventID and Qualifier fields

func NewMapXMLWithOptions 

func NewMapXMLWithOptions(eventXML []byte, opts TransformOptions) (*Map, error)

NewMapXMLWithOptions converts Windows Event Log XML to a map with configurable transforms.

func (*Map) GetMessage 

func (m *Map) GetMessage() string

GetMessage returns the message field from the map.

func (*Map) JSON 

func (m *Map) JSON() ([]byte, error)

JSON returns the map as a JSON byte array.

The function replaces any "#text" key with a "value" key.

func (*Map) SetLevel 

func (m *Map) SetLevel(level string) error

SetLevel sets the level field in the map. This field is a DD field not a Windows Event Log field.

func (*Map) SetMessage 

func (m *Map) SetMessage(message string) error

SetMessage sets the message field in the map. This field is a DD field not a Windows Event Log field. The message is truncated if it is bigger than 128kB to prevent it from being dropped.

func (*Map) SetOpcode 

func (m *Map) SetOpcode(opcode string) error

SetOpcode sets the opcode field in the map.

func (*Map) SetTask 

func (m *Map) SetTask(task string) error

SetTask sets the task field in the map.

type Message 

type Message struct {
	// contains filtered or unexported fields
}

Message implements StructedMessage interface for Windows Event Log messages.

func (*Message) GetContent 

func (m *Message) GetContent() []byte

GetContent returns the content part of the structured log.

func (*Message) Render 

func (m *Message) Render() ([]byte, error)

Render renders the structured log information into JSON, for further encoding before being sent to the intake.

func (*Message) SetContent 

func (m *Message) SetContent(content []byte)

SetContent sets the content part of the structured log.

type TransformOptions 

type TransformOptions struct {
	FormatEventData  bool // Convert named Data elements to key-value map (see formatEventDataField)
	FormatBinaryData bool // Decode binary hex as UTF-16 (buggy, not recommended for new code) (see formatEventBinaryData)
	NormalizeEventID bool // Separate EventID and Qualifier fields (see normalizeEventID)
}

TransformOptions controls which transforms are applied during XML parsing

func DefaultTransformOptions 

func DefaultTransformOptions() TransformOptions

DefaultTransformOptions returns options with all transforms enabled (for backwards compatibility)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.