chore(alertsenders): Expose StringShort methods for process/event and create a common eventlog package

Author: rabbitstack

pkg/alertsender/eventlog/eventlog.go

@@ -19,15 +19,26 @@
 package eventlog
 
 import (
+	"errors"
 	"fmt"
 	"github.com/rabbitstack/fibratus/pkg/alertsender"
+	"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
+	evlog "github.com/rabbitstack/fibratus/pkg/util/eventlog"
 	"golang.org/x/sys/windows"
 	"hash/crc32"
 	"strings"
 )
 
-// source represents the event source that generates the alerts
-const source = "Fibratus"
+const (
+	// source represents the event source that generates the alerts
+	source = "Fibratus"
+	// levels designates the supported eventlog levels
+	levels = uint32(evlog.Info | evlog.Warn | evlog.Erro)
+	// msgFile specifies the location of the eventlog message DLL
+	msgFile = "%ProgramFiles%\\Fibratus\\fibratus.dll"
+	// keyName represents the registry key under which the eventlog source is registered
+	keyName = `SYSTEM\CurrentControlSet\Services\EventLog`
+)
 
 const minIDChars = 12
 
@@ -50,6 +61,13 @@ func makeSender(config alertsender.Config) (alertsender.Sender, error) {
 		return nil, fmt.Errorf("could not convert source name: %v", err)
 	}
 
+	err = evlog.Install(source, msgFile, keyName, false, levels, uint32(len(ktypes.Categories())))
+	if err != nil {
+		if !errors.Is(err, evlog.ErrKeyExists{}) {
+			return nil, err
+		}
+	}
+
 	h, err := windows.RegisterEventSource(nil, sourceName)
 	if err != nil {
 		return nil, fmt.Errorf("could not register event source: %v", err)

pkg/kevent/kevent.go

@@ -120,10 +120,10 @@ func (e *Kevent) String() string {
 		Name: %s
 		Category: %s
 		Description: %s
-		Host: %s,
-		Timestamp: %s,
-		Kparams: %s,
-		Metadata: %s,
+		Host: %s
+		Timestamp: %s
+		Kparams: %s
+		Metadata: %s
 	    %s
 	`,
 			e.Seq,
@@ -150,9 +150,9 @@ func (e *Kevent) String() string {
 		Name: %s
 		Category: %s
 		Description: %s
-		Host: %s,
-		Timestamp: %s,
-		Kparams: %s,
+		Host: %s
+		Timestamp: %s
+		Kparams: %s
 		Metadata: %s
 	`,
 		e.Seq,
@@ -170,6 +170,55 @@ func (e *Kevent) String() string {
 	)
 }
 
+// StringShort returns event's string representation
+// by removing some irrelevant event/process fields.
+func (e *Kevent) StringShort() string {
+	e.mmux.RLock()
+	defer e.mmux.RUnlock()
+	if e.PS != nil {
+		return fmt.Sprintf(`
+		Seq: %d
+		Pid: %d
+		Tid: %d
+		Name: %s
+		Category: %s
+		Host: %s
+		Timestamp: %s
+		Parameters: %s
+    %s
+	`,
+			e.Seq,
+			e.PID,
+			e.Tid,
+			e.Name,
+			e.Category,
+			e.Host,
+			e.Timestamp,
+			e.Kparams,
+			e.PS.StringShort(),
+		)
+	}
+	return fmt.Sprintf(`
+		Seq: %d
+		Pid: %d
+		Tid: %d
+		Name: %s
+		Category: %s
+		Host: %s
+		Timestamp: %s
+		Parameters: %s
+	`,
+		e.Seq,
+		e.PID,
+		e.Tid,
+		e.Name,
+		e.Category,
+		e.Host,
+		e.Timestamp,
+		e.Kparams,
+	)
+}
+
 // Empty return a pristine event instance.
 func Empty() *Kevent {
 	return &Kevent{

pkg/outputs/eventlog/api.go

@@ -25,21 +25,17 @@ package eventlog
 import (
 	"bytes"
 	"errors"
-	"fmt"
 	"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
+	"github.com/rabbitstack/fibratus/pkg/util/eventlog"
 	"syscall"
 
 	"golang.org/x/sys/windows"
-	"golang.org/x/sys/windows/registry"
 )
 
 const addKeyName = `SYSTEM\CurrentControlSet\Services\EventLog\Application`
 
 var categoryCount = len(ktypes.Categories())
 
-// ErrKeyExists signals that the registry key already exists
-var ErrKeyExists = fmt.Errorf("%s\\%s already exists", addKeyName, source)
-
 // Eventlog provides access to the system log.
 type Eventlog struct {
 	Handle windows.Handle
@@ -74,59 +70,6 @@ func OpenRemote(host, source string) (*Eventlog, error) {
 	return &Eventlog{Handle: h}, nil
 }
 
-// Install modifies PC registry to allow logging with an event source src.
-// It adds all required keys and values to the event log registry key.
-// Install uses msgFile as the event message file. If useExpandKey is true,
-// the event message file is installed as REG_EXPAND_SZ value,
-// otherwise as REG_SZ. Use bitwise of log.Error, log.Warning and
-// log.Info to specify events supported by the new event source.
-func Install(src, msgFile string, useExpandKey bool, eventsSupported uint32) error {
-	appkey, err := registry.OpenKey(registry.LOCAL_MACHINE, addKeyName, registry.CREATE_SUB_KEY)
-	if err != nil {
-		return err
-	}
-	defer appkey.Close()
-
-	sk, alreadyExist, err := registry.CreateKey(appkey, src, registry.SET_VALUE)
-	if err != nil {
-		return err
-	}
-	defer sk.Close()
-	if alreadyExist {
-		return ErrKeyExists
-	}
-
-	err = sk.SetDWordValue("CustomSource", 1)
-	if err != nil {
-		return err
-	}
-	if useExpandKey {
-		err = sk.SetExpandStringValue("EventMessageFile", msgFile)
-	} else {
-		err = sk.SetStringValue("EventMessageFile", msgFile)
-	}
-	if err != nil {
-		return err
-	}
-	if useExpandKey {
-		err = sk.SetExpandStringValue("CategoryMessageFile", msgFile)
-	} else {
-		err = sk.SetStringValue("CategoryMessageFile", msgFile)
-	}
-	if err != nil {
-		return err
-	}
-	err = sk.SetDWordValue("TypesSupported", eventsSupported)
-	if err != nil {
-		return err
-	}
-	err = sk.SetDWordValue("CategoryCount", uint32(categoryCount))
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
 // Close closes event log.
 func (l *Eventlog) Close() error {
 	return windows.DeregisterEventSource(l.Handle)
@@ -151,15 +94,15 @@ func (l *Eventlog) report(etype uint16, eid uint32, category uint16, msg []byte)
 
 // Info writes an information event msg with event id eid to the end of event log.
 func (l *Eventlog) Info(eid uint32, category uint16, msg []byte) error {
-	return l.report(uint16(Info), eid, category, msg)
+	return l.report(uint16(eventlog.Info), eid, category, msg)
 }
 
 // Warning writes a warning event msg with event id eid to the end of event log.
 func (l *Eventlog) Warning(eid uint32, category uint16, msg []byte) error {
-	return l.report(uint16(Warn), eid, category, msg)
+	return l.report(uint16(eventlog.Warn), eid, category, msg)
 }
 
 // Error writes an error event msg with event id eid to the end of event log.
 func (l *Eventlog) Error(eid uint32, category uint16, msg []byte) error {
-	return l.report(uint16(Erro), eid, category, msg)
+	return l.report(uint16(eventlog.Erro), eid, category, msg)
 }

pkg/outputs/eventlog/config.go

@@ -19,7 +19,6 @@
 package eventlog
 
 import (
-	"fmt"
 	"github.com/rabbitstack/fibratus/pkg/kevent"
 	"text/template"
 
@@ -33,31 +32,6 @@ const (
 	tmpl       = "output.eventlog.template"
 )
 
-// Level is the type definition for the eventlog log level
-type Level uint16
-
-const (
-	// Info represents the info log level
-	Info Level = 4
-	// Warn represents the warning info level
-	Warn Level = 2
-	// Erro represents the error log level
-	Erro Level = 1
-)
-
-func levelFromString(s string) Level {
-	switch s {
-	case "info", "INFO":
-		return Info
-	case "warn", "warning", "WARN", "WARNING":
-		return Warn
-	case "erro", "error", "ERRO", "ERROR":
-		return Erro
-	default:
-		panic(fmt.Sprintf("unrecognized evtlog level: %s", s))
-	}
-}
-
 // Config contains configuration properties for fine-tuning the eventlog output.
 type Config struct {
 	// Enabled determines whether the eventlog output is enabled.

pkg/outputs/eventlog/eventlog.go

@@ -22,6 +22,7 @@ package eventlog
 
 import (
 	"errors"
+	"github.com/rabbitstack/fibratus/pkg/util/eventlog"
 	"text/template"
 
 	"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
@@ -34,7 +35,7 @@ const (
 	// source under which eventlog events are reported
 	source = "Fibratus"
 	// levels designates the supported eventlog levels
-	levels = uint32(Info | Warn | Erro)
+	levels = uint32(eventlog.Info | eventlog.Warn | eventlog.Erro)
 	// msgFile specifies the location of the eventlog message DLL
 	msgFile = "%ProgramFiles%\\Fibratus\\fibratus.dll"
 
@@ -63,10 +64,10 @@ func initEventlog(config outputs.Config) (outputs.OutputGroup, error) {
 	if !ok {
 		return outputs.Fail(outputs.ErrInvalidConfig(outputs.Eventlog, config.Output))
 	}
-	err := Install(source, msgFile, false, levels)
+	err := eventlog.Install(source, msgFile, addKeyName, false, levels, uint32(categoryCount))
 	if err != nil {
 		// ignore error if the key already exists
-		if !errors.Is(err, ErrKeyExists) {
+		if !errors.Is(err, eventlog.ErrKeyExists{}) {
 			return outputs.Fail(err)
 		}
 	}
@@ -132,12 +133,12 @@ func (e *evtlog) publish(kevt *kevent.Kevent) error {
 }
 
 func (e *evtlog) log(eventID uint32, categoryID uint16, buf []byte) error {
-	switch levelFromString(e.config.Level) {
-	case Info:
+	switch eventlog.LevelFromString(e.config.Level) {
+	case eventlog.Info:
 		return e.evtlog.Info(eventID, categoryID, buf)
-	case Warn:
+	case eventlog.Warn:
 		return e.evtlog.Warning(eventID, categoryID, buf)
-	case Erro:
+	case eventlog.Erro:
 		return e.evtlog.Error(eventID, categoryID, buf)
 	default:
 		panic("unknown eventlog level")

pkg/ps/types/types_windows.go

@@ -201,6 +201,72 @@ func (ps *PS) String() string {
 	)
 }
 
+// StringShort returns a string representation of the process' state
+// by removing some verbose attributes such as the env variables block.
+func (ps *PS) StringShort() string {
+	parent := ps.Parent
+	if parent != nil {
+		return fmt.Sprintf(`
+		Pid:  %d
+		Ppid: %d
+		Name: %s
+		Parent name: %s
+		Cmdline: %s
+		Parent cmdline: %s
+		Exe:  %s
+		Cwd:  %s
+		SID:  %s
+		Username: %s
+		Domain: %s
+		Args: %s
+		Session ID: %d
+		Ancestors: %s
+	`,
+			ps.PID,
+			ps.Ppid,
+			ps.Name,
+			parent.Name,
+			ps.Cmdline,
+			parent.Cmdline,
+			ps.Exe,
+			ps.Cwd,
+			ps.SID,
+			ps.Username,
+			ps.Domain,
+			ps.Args,
+			ps.SessionID,
+			strings.Join(ps.Ancestors(), " > "),
+		)
+	}
+	return fmt.Sprintf(`
+		Pid:  %d
+		Ppid: %d
+		Name: %s
+		Cmdline: %s
+		Exe:  %s
+		Cwd:  %s
+		SID:  %s
+		Username: %s
+		Domain: %s
+		Args: %s
+		Session ID: %d
+		Ancestors: %s
+	`,
+		ps.PID,
+		ps.Ppid,
+		ps.Name,
+		ps.Cmdline,
+		ps.Exe,
+		ps.Cwd,
+		ps.SID,
+		ps.Username,
+		ps.Domain,
+		ps.Args,
+		ps.SessionID,
+		strings.Join(ps.Ancestors(), " > "),
+	)
+}
+
 // Ancestors returns all ancestors of this process. The string slice contains
 // the process image name followed by the process id.
 func (ps *PS) Ancestors() []string {