Documentation ¶
Overview ¶
Package kevent defines the fundamental data structures that underpin the state of every kernel event pushed from the consumer.
Index ¶
- Variables
- type Batch
- type Formatter
- type Kevent
- type Kparam
- type Kparams
- func (kpars Kparams) Append(name string, typ kparams.Type, value kparams.Value) Kparams
- func (kpars Kparams) AppendFromKcap(name string, typ kparams.Type, value kparams.Value) Kparams
- func (kpars Kparams) Build() Kparams
- func (kpars Kparams) Contains(name string) bool
- func (kpars Kparams) Find(name string) *Kparam
- func (kpars Kparams) Get(name string) (kparams.Value, error)
- func (kpars Kparams) GetDouble(name string) (float64, error)
- func (kpars Kparams) GetFloat(name string) (float32, error)
- func (kpars Kparams) GetHex(name string) (kparams.Hex, error)
- func (kpars Kparams) GetHexAsUint32(name string) (uint32, error)
- func (kpars Kparams) GetHexAsUint64(name string) (uint64, error)
- func (kpars Kparams) GetHexAsUint8(name string) (uint8, error)
- func (kpars Kparams) GetIP(name string) (net.IP, error)
- func (kpars Kparams) GetIPv4(name string) (net.IP, error)
- func (kpars Kparams) GetIPv6(name string) (net.IP, error)
- func (kpars Kparams) GetInt16(name string) (int16, error)
- func (kpars Kparams) GetInt32(name string) (int32, error)
- func (kpars Kparams) GetInt64(name string) (int64, error)
- func (kpars Kparams) GetInt8(name string) (int8, error)
- func (kpars Kparams) GetPid() (uint32, error)
- func (kpars Kparams) GetPpid() (uint32, error)
- func (kpars Kparams) GetSlice(name string) (kparams.Value, error)
- func (kpars Kparams) GetString(name string) (string, error)
- func (kpars Kparams) GetStringSlice(name string) ([]string, error)
- func (kpars Kparams) GetTid() (uint32, error)
- func (kpars Kparams) GetTime(name string) (time.Time, error)
- func (kpars Kparams) GetUint16(name string) (uint16, error)
- func (kpars Kparams) GetUint32(name string) (uint32, error)
- func (kpars Kparams) GetUint64(name string) (uint64, error)
- func (kpars Kparams) GetUint8(name string) (uint8, error)
- func (kpars Kparams) Len() int
- func (kpars Kparams) MustGetPid() uint32
- func (kpars Kparams) MustGetString(name string) string
- func (kpars Kparams) MustGetTime(name string) time.Time
- func (kpars Kparams) MustGetUint32(name string) uint32
- func (kpars Kparams) Remove(name string)
- func (kpars Kparams) Set(name string, value kparams.Value, typ kparams.Type) error
- func (kpars Kparams) SetValue(name string, value kparams.Value) error
- func (kpars Kparams) String() string
- func (kpars Kparams) TryGetHexAsUint32(name string) (uint32, error)
- func (kpars Kparams) TryGetHexAsUint64(name string) (uint64, error)
- func (kpars Kparams) TryGetHexAsUint8(name string) (uint8, error)
- type Metadata
- type MetadataKey
- type ParamCaseStyle
Constants ¶
This section is empty.
Variables ¶
var ParamKVDelimiter = "➜ "
ParamKVDelimiter specifies the character that delimits parameter's key from its value
var ParamNameCaseStyle = SnakeCase
ParamNameCaseStyle designates the case style for kernel parameter names
var Template = `` /* 1903-byte string literal not displayed */
Template is the default Go template used for formatting events in textual format.
var TimestampFormat string
TimestampFormat is the Go valid format for the kernel event timestamp
Functions ¶
This section is empty.
Types ¶
type Batch ¶
type Batch struct {
Events []*Kevent
}
Batch contains a sequence of kernel events.
func (*Batch) MarshalJSON ¶
MarshalJSON serializes the batch of events to JSON format.
type Formatter ¶
type Formatter struct {
// contains filtered or unexported fields
}
Formatter deals with producing event's output that is dictated by the template.
func NewFormatter ¶
NewFormatter builds a new instance of event's formatter.
type Kevent ¶
type Kevent struct { // Seq is monotonically incremented kernel event sequence. Seq uint64 `json:"seq"` // PID is the identifier of the process that generated the event. PID uint32 `json:"pid"` // Tid is the thread identifier of the thread that generated the event. Tid uint32 `json:"tid"` // Type is the internal representation of the kernel event. This field should be ignored by serializers. Type ktypes.Ktype `json:"-"` // CPU designates the processor logical core where the event was originated. CPU uint8 `json:"cpu"` // Name is the human friendly name of the kernel event. Name string `json:"name"` // Category designates the category to which this event pertains. Category ktypes.Category `json:"category"` // Description is the short explanation that describes the purpose of the event. Description string `json:"description"` // Host is the machine name that reported the generated event. Host string `json:"host"` // Timestamp represents the temporal occurrence of the event. Timestamp time.Time `json:"timestamp"` // Kparams stores the collection of kernel event parameters. Kparams Kparams `json:"params"` // Metadata represents any tags that are meaningful to this event. Metadata Metadata `json:"metadata"` // PS represents process' metadata and its allocated resources such as handles, DLLs, etc. PS *pstypes.PS `json:"ps,omitempty"` }
Kevent encapsulates kernel event's payload.
func New ¶
func New(seq uint64, pid, tid uint32, cpu uint8, ktype ktypes.Ktype, ts time.Time, kpars Kparams) *Kevent
New constructs a new kernel event instance.
func NewFromKcap ¶
NewFromKcap recovers the kernel event instance from the kcapture byte buffer.
func (*Kevent) AddMeta ¶
func (kevt *Kevent) AddMeta(k MetadataKey, v any)
AddMeta appends a key/value pair to event's metadata.
func (*Kevent) RenderCustomTemplate ¶ added in v1.8.0
RenderCustomTemplate returns the event string representation after applying the given Go template.
func (*Kevent) RenderDefaultTemplate ¶ added in v1.8.0
RenderDefaultTemplate returns the event string representation after applying the default Go template.
func (*Kevent) SequenceBy ¶ added in v1.10.0
SequenceBy returns the BY statement join field from event metadata.
type Kparam ¶
type Kparam struct { // Type is the type of the parameter. For example, `sport` parameter has the `Port` type although its value // is the uint16 numeric type. Type kparams.Type `json:"-"` // Value is the container for parameter values. To access the underlying value use the appropriate `Get` methods. Value kparams.Value `json:"value"` // Name represents the name of the parameter (e.g. pid, sport). Name string `json:"name"` }
Kparam defines the layout of the kernel event parameter.
type Kparams ¶
Kparams is the type that represents the sequence of kernel event parameters
func KparamsFromSlice ¶ added in v1.6.0
KparamsFromSlice creates the params map from the variadic param list.
func NewKparamBuilder ¶ added in v1.8.0
NewKparamBuilder yields a new event parameter builder.
func (Kparams) AppendFromKcap ¶
AppendFromKcap adds a new parameter with the specified name, type and value from the kcap state.
func (Kparams) Find ¶
Find returns the kparam with specified name. If it is not found, nil value is returned.
func (Kparams) Get ¶
Get returns the raw value for given parameter name. It is the responsibility of the caller to probe type assertion on the value before yielding its underlying type.
func (Kparams) GetDouble ¶
GetDouble returns the underlying double (float64) value from the parameter.
func (Kparams) GetHex ¶
GetHex returns the generic hexadecimal type for the specified parameter name.
func (Kparams) GetHexAsUint32 ¶
GetHexAsUint32 returns the number hexadecimal representation as uint32 value.
func (Kparams) GetHexAsUint64 ¶
GetHexAsUint64 returns the number hexadecimal representation as uint64 value.
func (Kparams) GetHexAsUint8 ¶
GetHexAsUint8 returns the number hexadecimal representation as uint8 value.
func (Kparams) GetStringSlice ¶
GetStringSlice returns the string slice from the event parameter.
func (Kparams) MustGetPid ¶ added in v1.6.0
MustGetPid returns the pid parameter. It panics if an error occurs while trying to get the pid parameter.
func (Kparams) MustGetString ¶ added in v1.6.0
MustGetString returns the string parameter or panics if an error occurs while trying to get the parameter.
func (Kparams) MustGetTime ¶ added in v1.10.0
MustGetTime returns the underlying time structure from the parameter or panics if any errors occur.
func (Kparams) MustGetUint32 ¶ added in v1.6.0
MustGetUint32 returns the underlying uint32 value parameter. It panics if an error occurs while trying to get the parameter.
func (Kparams) Set ¶
Set replaces the value that is indexed at existing parameter name. It will return an error if the supplied parameter is not present.
func (Kparams) SetValue ¶ added in v1.6.0
SetValue replaces the value for the given parameter name. It will return an error if the supplied parameter is not present in the parameter map.
func (Kparams) String ¶
String returns the string representation of the event parameters. Parameter names are rendered according to the currently active parameter style case.
func (Kparams) TryGetHexAsUint32 ¶ added in v1.6.0
TryGetHexAsUint32 attempts to get the uint8 value from its hexadecimal representation. If the param is present, but doesn't have the hex type, then the param value is directly coerced into uint32 scalar.
func (Kparams) TryGetHexAsUint64 ¶ added in v1.6.0
TryGetHexAsUint64 attempts to get the uint64 value from its hexadecimal representation. If the param is present, but doesn't have the hex type, then the param value is directly coerced into uint64 scalar.
func (Kparams) TryGetHexAsUint8 ¶ added in v1.6.0
TryGetHexAsUint8 attempts to get the uint8 value from its hexadecimal representation. If the param is present, but doesn't have the hex type, then the param value is directly coerced into uint8 scalar.
type Metadata ¶
type Metadata map[MetadataKey]any
Metadata is a type alias for event metadata. Any tag, i.e. key/value pair could be attached to metadata.
type MetadataKey ¶ added in v1.5.0
type MetadataKey string
MetadataKey represents the type definition for the metadata keys
const ( // YaraMatchesKey is the tag name for the yara matches JSON representation YaraMatchesKey MetadataKey = "yara.matches" // RuleNameKey identifies the rule that was triggered by the event RuleNameKey MetadataKey = "rule.name" // RuleGroupKey identifies the group to which the triggered rule pertains RuleGroupKey MetadataKey = "rule.group" RuleSequenceByKey MetadataKey = "rule.seq.by" )
func (MetadataKey) String ¶ added in v1.5.0
func (key MetadataKey) String() string
type ParamCaseStyle ¶
type ParamCaseStyle uint8
ParamCaseStyle is the type definition for parameter name case style
const ( // SnakeCase is the default parameter's name case style. Multi-word parameters are delimited by underscore symbol (e.g. process_object) SnakeCase ParamCaseStyle = 1 // DotCase style uses a dot to separate multi-word parameter names (e.g. process.object) DotCase ParamCaseStyle = 2 // PascalCase renders parameter name with pascal case naming style (e.g. ProcessObject) PascalCase ParamCaseStyle = 3 // CamelCase represents parameter names with camel case naming style (e.g. processObject) CamelCase ParamCaseStyle = 4 )