chore(alertsenders): Create a common eventlog package

This package is a foundation for the future consolidation
of the shared eventlog functionality. Additionally, it
offers the function for construction of the event id from
multiple components.

Author: rabbitstack

pkg/util/eventlog/eventid.go

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package eventlog
+
+import "golang.org/x/sys/windows"
+
+// EventID produces the eventlog event identifier from the given
+// severity and event code. The format of the event id
+// integer is described by the next layout:
+//
+//	3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
+//	1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+//
+// +---+-+-+-----------------------+-------------------------------+
+// |Sev|C|R|     Facility          |               Code            |
+// +---+-+-+-----------------------+-------------------------------+
+func EventID(etype, code uint16) uint32 {
+	var id uint32
+
+	// severity
+	switch etype {
+	case windows.EVENTLOG_INFORMATION_TYPE:
+		id = uint32(0)<<30 | uint32(1)<<29
+	case windows.EVENTLOG_WARNING_TYPE:
+		id = uint32(1)<<30 | uint32(0)<<29
+	case windows.EVENTLOG_ERROR_TYPE:
+		id = uint32(1)<<30 | uint32(1)<<29
+	default:
+		id = uint32(0)<<30 | uint32(1)<<29
+	}
+	// customer bit
+	id |= uint32(0) << 28
+	// reserved bit
+	id |= uint32(0) << 27
+	// facility
+	id |= uint32(0) << 15
+	// code
+	id |= uint32(code)
+
+	return id
+}

pkg/util/eventlog/eventid_test.go

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2021-2022 by Nedim Sabic Sabic
+ * https://www.fibratus.io
+ * All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package eventlog
+
+import (
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/sys/windows"
+	"testing"
+)
+
+func TestEventID(t *testing.T) {
+	var tests = []struct {
+		eid      uint32
+		expected uint32
+	}{
+		{
+			EventID(windows.EVENTLOG_INFORMATION_TYPE, 3191),
+			0x20000c77,
+		},
+		{
+			EventID(windows.EVENTLOG_WARNING_TYPE, 3191),
+			0x40000c77,
+		},
+		{
+			EventID(windows.EVENTLOG_ERROR_TYPE, 3191),
+			0x60000c77,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%d", tt.expected), func(t *testing.T) {
+			assert.Equal(t, tt.expected, tt.eid)
+		})
+	}
+}

pkg/util/eventlog/eventlog.go

@@ -20,9 +20,27 @@ package eventlog
 
 import (
 	"fmt"
+	"github.com/rabbitstack/fibratus/pkg/kevent/ktypes"
 	"golang.org/x/sys/windows/registry"
 )
 
+const (
+	// Source represents the event source that generates the alerts
+	Source = "Fibratus"
+	// Levels designates the supported eventlog levels
+	Levels = uint32(Info | Warn | Erro)
+	// msgFile specifies the location of the eventlog message DLL
+	msgFile = "%ProgramFiles%\\Fibratus\\fibratus.dll"
+	// keyName represents the registry key under which the eventlog source is registered
+	keyName = `SYSTEM\CurrentControlSet\Services\EventLog\Application`
+)
+
+// ErrKeyExists signals that the registry key already exists
+var ErrKeyExists = fmt.Errorf("%s\\%s already exists", keyName, Source)
+
+// categoryCount indicates the number of current event categories
+var categoryCount = uint32(len(ktypes.Categories()))
+
 // Level is the type definition for the eventlog log level
 type Level uint16
 
@@ -35,77 +53,45 @@ const (
 	Erro Level = 1
 )
 
-// LevelFromString resolves the eventlog levle from string
-func LevelFromString(s string) Level {
-	switch s {
-	case "info", "INFO":
-		return Info
-	case "warn", "warning", "WARN", "WARNING":
-		return Warn
-	case "erro", "error", "ERRO", "ERROR":
-		return Erro
-	default:
-		panic(fmt.Sprintf("unrecognized evtlog level: %s", s))
-	}
-}
-
-// ErrKeyExists signals that the registry key already exists
-type ErrKeyExists struct {
-	src string
-	key string
-}
-
-func (e ErrKeyExists) Error() string {
-	return fmt.Sprintf("%s\\%s already exists", e.key, e.src)
-}
-
 // Install modifies PC registry to allow logging with an event source src.
 // It adds all required keys and values to the event log registry key.
 // Install uses msgFile as the event message file. If useExpandKey is true,
 // the event message file is installed as REG_EXPAND_SZ value,
-// otherwise as REG_SZ. Use bitwise of log.Error, log.Warning and
-// log.Info to specify events supported by the new event source.
-func Install(src, f, key string, useExpandKey bool, eventsSupported, cats uint32) error {
-	appkey, err := registry.OpenKey(registry.LOCAL_MACHINE, key, registry.CREATE_SUB_KEY)
+// otherwise as REG_SZ. Use bitwise of Errr, Warn, and Info to specify events
+// supported by the new event source.
+func Install(eventsSupported uint32) error {
+	key, err := registry.OpenKey(registry.LOCAL_MACHINE, keyName, registry.CREATE_SUB_KEY)
 	if err != nil {
 		return err
 	}
-	defer appkey.Close()
+	defer key.Close()
 
-	sk, alreadyExist, err := registry.CreateKey(appkey, src, registry.SET_VALUE)
+	sk, exists, err := registry.CreateKey(key, Source, registry.SET_VALUE)
 	if err != nil {
 		return err
 	}
 	defer sk.Close()
-	if alreadyExist {
-		return ErrKeyExists{src, key}
+	if exists {
+		return ErrKeyExists
 	}
 
 	err = sk.SetDWordValue("CustomSource", 1)
 	if err != nil {
 		return err
 	}
-	if useExpandKey {
-		err = sk.SetExpandStringValue("EventMessageFile", f)
-	} else {
-		err = sk.SetStringValue("EventMessageFile", f)
-	}
+	err = sk.SetExpandStringValue("EventMessageFile", msgFile)
 	if err != nil {
 		return err
 	}
-	if useExpandKey {
-		err = sk.SetExpandStringValue("CategoryMessageFile", f)
-	} else {
-		err = sk.SetStringValue("CategoryMessageFile", f)
-	}
+	err = sk.SetExpandStringValue("CategoryMessageFile", msgFile)
 	if err != nil {
 		return err
 	}
 	err = sk.SetDWordValue("TypesSupported", eventsSupported)
 	if err != nil {
 		return err
 	}
-	err = sk.SetDWordValue("CategoryCount", cats)
+	err = sk.SetDWordValue("CategoryCount", categoryCount)
 	if err != nil {
 		return err
 	}