in extensions/windows-event-log/ConsumeWindowsEventLog.cpp [450:544]
nonstd::expected<cwel::EventRender, std::string> ConsumeWindowsEventLog::createEventRender(EVT_HANDLE hEvent) {
auto event_as_xml = renderEventAsXml(hEvent);
if (!event_as_xml)
return nonstd::make_unexpected(event_as_xml.error());
pugi::xml_document doc;
if (!doc.load_string(event_as_xml->c_str()))
return nonstd::make_unexpected("Invalid XML produced");
cwel::EventRender result;
// this is a well known path.
std::string provider_name = doc.child("Event").child("System").child("Provider").attribute("Name").value();
wel::WindowsEventLogMetadataImpl metadata{getEventLogHandler(provider_name).getMetadata(), hEvent};
wel::MetadataWalker walker{metadata, path_.str(), !resolve_as_attributes_, apply_identifier_function_, regex_ ? &*regex_ : nullptr, userIdToUsernameFunction()};
// resolve the event metadata
doc.traverse(walker);
logger_->log_trace("Finish doc traversing, performing writing...");
if (output_format_ == cwel::OutputFormat::Plaintext || output_format_ == cwel::OutputFormat::Both) {
logger_->log_trace("Writing event in plain text");
auto& handler = getEventLogHandler(provider_name);
auto event_message = handler.getEventMessage(hEvent);
if (event_message) {
for (const auto& map_entry : walker.getIdentifiers()) {
if (map_entry.first.empty() || map_entry.second.empty()) {
continue;
}
utils::string::replaceAll(*event_message, map_entry.first, map_entry.second);
}
}
std::string_view payload_name = event_message ? "Message" : "Error";
wel::WindowsEventLogHeader log_header(header_names_, header_delimiter_, payload_name.size());
result.plaintext = log_header.getEventHeader([&walker](wel::METADATA metadata) { return walker.getMetadata(metadata); });
result.plaintext += payload_name;
result.plaintext += log_header.getDelimiterFor(payload_name.size());
result.plaintext += event_message.has_value() ? *event_message : event_message.error().message();
logger_->log_trace("Finish writing in plain text");
}
if (output_format_ != cwel::OutputFormat::Plaintext) {
substituteXMLPercentageItems(doc);
logger_->log_trace("Finish substituting %% in XML");
}
if (resolve_as_attributes_) {
result.matched_fields = walker.getFieldValues();
}
if (output_format_ == cwel::OutputFormat::XML || output_format_ == cwel::OutputFormat::Both) {
logger_->log_trace("Writing event in XML");
wel::XmlString writer;
doc.print(writer, "", pugi::format_raw); // no indentation or formatting
event_as_xml = writer.xml_;
result.xml = std::move(*event_as_xml);
logger_->log_trace("Finish writing in XML");
}
if (output_format_ == cwel::OutputFormat::JSON) {
switch (json_format_) {
case cwel::JsonFormat::Raw: {
logger_->log_trace("Writing event in raw JSON");
result.json = wel::jsonToString(wel::toRawJSON(doc));
logger_->log_trace("Finish writing in raw JSON");
break;
}
case cwel::JsonFormat::Simple: {
logger_->log_trace("Writing event in simple JSON");
result.json = wel::jsonToString(wel::toSimpleJSON(doc));
logger_->log_trace("Finish writing in simple JSON");
break;
}
case cwel::JsonFormat::Flattened: {
logger_->log_trace("Writing event in flattened JSON");
result.json = wel::jsonToString(wel::toFlattenedJSON(doc));
logger_->log_trace("Finish writing in flattened JSON");
break;
}
default: {
gsl_Assert(false);
}
}
}
return result;
}