[receiver/windowseventlog]: Parse UserData tag #28621
Conversation
There was a problem hiding this comment.
Hi @BinaryFissionGames - this is looking good, I made a suggestion for a change on the type so it matches the event schema correctly.
One question that I have in my mind is that we added the EventData because if the publisher manifest is missing there wasn't any useful information on the log. For events with UserData can you check what happens if the publisher manifest is broken/missing?
The example used in the tests seems made up from events with EventData using the attribute Name. In my Windows 10 box I found the following sources with actual UserData, they will provide a better example:
$ Get-WinEvent Application | Where { $xml = [xml]$_.ToXml(); $xml.event.userdata -ne $null } | Group ProviderName, Id, Level | Select Count, Name
Count Name
----- ----
1856 Microsoft-Windows-RestartManager, 10000, 4
1792 Microsoft-Windows-RestartManager, 10001, 4
3 Microsoft-Windows-RestartManager, 10005, 4
10 Microsoft-Windows-RestartManager, 10010, 3
2 Microsoft-Windows-Winsrv, 10002, 4
12 Microsoft-Windows-WMI, 63, 3cc @djaglowski
| @@ -31,6 +32,7 @@ type EventXML struct { | |||
| Security *Security `xml:"System>Security"` | |||
| Execution *Execution `xml:"System>Execution"` | |||
| EventData []EventDataEntry `xml:"EventData>Data"` | |||
| UserData *AnyXML `xml:"UserData"` | |||
There was a problem hiding this comment.
I think here we want something like:
| UserData *AnyXML `xml:"UserData"` | |
| UserData *UserData `xml:"UserData"` |
and UserData to be something like:
Elements []AnyXML
Attributes map[string]stringThis is matches the event schema.
| attributes map[string]string | ||
| chardata string | ||
| children []AnyXML | ||
| } |
There was a problem hiding this comment.
The type looks good - I'm not sure about the naming and visibility of the fields.
|
This PR was marked stale due to lack of activity. It will be closed in 14 days. |
|
Closed as inactive. Feel free to reopen if this PR is still being worked on. |
|
Hi @BinaryFissionGames - do you think you will have a chance to work on this PR? |
Description:
Parses the UserData tag into a recursive structure like this:
Link to tracking Issue: #27810
Testing:
Unit testing.
Manually tested with clearing audit logs (generates an event with UserData filled in)