win-events
is a rust library to pull windows log events. Following output format is supported
Add this to your Cargo.toml
:
[dependencies]
win-events = { git = "https://github.com/asiyani/win-events", branch = "v0.1.0" }
filter package provides functionality to build filter xml query string. This query is used in reader subscription.
-
name of
channel
to monitor for events. To get list of available channel runGet-WinEvent -ListLog * | format-list -property LogName
. -
event_id
is a comma-separated list of event IDs to include or exclude. The accepted values are single event ID to include, a range of event IDs to include (4600-5300) and To exclude, add a minus sign first. For example1,3,5-99,-76,-300-400
. -
level
is list of log levels to include -
ignore_older
takes number of second, if specified, events that are older than the specified amount of time will be excluded. -
provider
A list of providers (source names) to include.
let f1 = filter::Config {
channel: "Application".to_string(),
event_id: Some("1,16384,-3433,100-200,-300-400".to_string()),
level: Some(vec![Level::Information, Level::Warning]),
ignore_older: Some(43200),
provider: None,
};
let query = filter::build_query(vec![f1]);
reader package provides functions to pull events based on query provided. If read_oldest
set to true existing events are returned or only future will be returned.
next
will pull one event at a time. NoMoreLogs
will be returned when there are no logs to pull for given query.
get_bookmark
will return bookmark xml string, which can be used by caller in next run to specify starting point to pull events.
use std::{thread, time};
use win_events::{error::ErrorKind, event::WinLogEvent, reader};
fn main() {
let mut config = reader::Config::default();
let r = reader::Reader::init(config).unwrap();
loop {
match r.next() {
Ok(event) => println!("{:?}", event),
Err(err) => match err.kind {
ErrorKind::NoMoreLogs => {
thread::sleep(time::Duration::from_secs(2));
continue;
}
ErrorKind::Event => {
println!("unable to get event {}", err);
continue;
}
ErrorKind::Subscription => {
println!("error occurred in event subscription {}", err);
break;
}
},
}
}
if let Ok(xml) = r.get_bookmark() {
println!("xml bookmark: {}", xml)
};
}