feat(alertsender,eventlog): Allow events in JSON format

This change allows to configure the eventlog
alertsender to emit the alerts in JSON format.

Author: rabbitstack

cmd/systray/main_windows.go

@@ -22,6 +22,12 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net"
+	"os"
+	"path/filepath"
+	"unsafe"
+
 	"github.com/Microsoft/go-winio"
 	"github.com/mitchellh/mapstructure"
 	"github.com/rabbitstack/fibratus/pkg/alertsender"
@@ -31,11 +37,6 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/util/signals"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
-	"io"
-	"net"
-	"os"
-	"path/filepath"
-	"unsafe"
 )
 
 const systrayPipe = `\\.\pipe\fibratus-systray`
@@ -65,6 +66,7 @@ func (m Msg) decode(output any) error {
 		DecodeHook: mapstructure.ComposeDecodeHookFunc(
 			mapstructure.StringToTimeDurationHookFunc(),
 			mapstructure.StringToSliceHookFunc(","),
+			alertsender.StringToSeverityDecodeHook(),
 		),
 	}
 	decoder, err := mapstructure.NewDecoder(decoderConfig)

configs/fibratus.yml

@@ -86,6 +86,9 @@ alertsenders:
     # in the log message.
     verbose: true
 
+     # Specifies the eventlog record format for the alert. Can be pretty|json
+    format: pretty
+
 # =============================== API ==================================================
 
 # Settings that influence the behaviour of the HTTP server that exposes a number of endpoints such as

pkg/alertsender/alert.go

@@ -21,11 +21,14 @@ package alertsender
 import (
 	"bytes"
 	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/mitchellh/mapstructure"
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/yuin/goldmark"
 	"github.com/yuin/goldmark/extension"
 	"github.com/yuin/goldmark/renderer/html"
-	"strings"
 )
 
 // Severity is the type alias for alert's severity level.
@@ -58,6 +61,26 @@ func (s Severity) String() string {
 	}
 }
 
+// StringToSeverityDecodeHook converts severity string to integer.
+func StringToSeverityDecodeHook() mapstructure.DecodeHookFuncType {
+	return func(
+		from reflect.Type,
+		to reflect.Type,
+		data any,
+	) (any, error) {
+
+		if from.Kind() != reflect.String {
+			return data, nil
+		}
+
+		if to != reflect.TypeOf(Severity(0)) {
+			return data, nil
+		}
+
+		return ParseSeverityFromString(data.(string)), nil
+	}
+}
+
 // ParseSeverityFromString parses the severity from the string representation.
 func ParseSeverityFromString(sever string) Severity {
 	switch sever {

pkg/alertsender/eventlog/config.go

@@ -25,6 +25,10 @@ import (
 const (
 	enabled = "alertsenders.eventlog.enabled"
 	verbose = "alertsenders.eventlog.verbose"
+	format  = "alertsenders.eventlog.format"
+
+	prettyFormat = "pretty"
+	jsonFormat   = "json"
 )
 
 // Config defines the configuration for the eventlog sender.
@@ -35,10 +39,14 @@ type Config struct {
 	// event context, including parameters and the process
 	// state are included in the log message.
 	Verbose bool `mapstructure:"verbose"`
+	// Format specifies the eventlog record format for the alert.
+	// Can be pretty or json.
+	Format string `mapstructure:"format"`
 }
 
 // AddFlags registers persistent flags.
 func AddFlags(flags *pflag.FlagSet) {
 	flags.Bool(enabled, true, "Indicates if eventlog alert sender is enabled")
 	flags.Bool(verbose, true, "Enables/disables the verbose mode. In verbose mode, the full event context, including all parameters and the process information are included in the log message")
+	flags.String(format, "pretty", "Specifies the eventlog record format for the alert. Can be pretty|json")
 }

pkg/alertsender/eventlog/eventlog.go

@@ -19,13 +19,15 @@
 package eventlog
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
+	"hash/crc32"
+	"strings"
+
 	"github.com/rabbitstack/fibratus/pkg/alertsender"
 	evlog "github.com/rabbitstack/fibratus/pkg/util/eventlog"
 	"golang.org/x/sys/windows"
-	"hash/crc32"
-	"strings"
 )
 
 const minIDChars = 12
@@ -83,7 +85,19 @@ func (s *eventlog) Send(alert alertsender.Alert) error {
 		code = uint16(h & 0xFFFF)
 	}
 
-	msg := alert.String(s.config.Verbose)
+	// build the eventlog event
+	var msg string
+	switch s.config.Format {
+	case prettyFormat:
+		msg = alert.String(s.config.Verbose)
+	case jsonFormat:
+		b, err := json.MarshalIndent(alert, "", "  ")
+		if err != nil {
+			return err
+		}
+		msg = string(b)
+	}
+
 	// trim null characters to avoid
 	// UTF16PtrFromString complaints
 	msg = strings.ReplaceAll(msg, "\x00", "")

pkg/alertsender/eventlog/eventlog_test.go

@@ -19,6 +19,9 @@
 package eventlog
 
 import (
+	"testing"
+	"time"
+
 	"github.com/rabbitstack/fibratus/pkg/alertsender"
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
@@ -28,12 +31,10 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/util/va"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows"
-	"testing"
-	"time"
 )
 
 func TestEventlogSender(t *testing.T) {
-	s, err := alertsender.Load(alertsender.Config{Type: alertsender.Eventlog, Sender: Config{Verbose: true, Enabled: true}})
+	s, err := alertsender.Load(alertsender.Config{Type: alertsender.Eventlog, Sender: Config{Verbose: true, Enabled: true, Format: prettyFormat}})
 	require.NoError(t, err)
 	require.NotNil(t, s)
 

pkg/alertsender/systray/systray_test.go

@@ -20,15 +20,16 @@ package systray
 
 import (
 	"encoding/json"
+	"io"
+	"net"
+	"sync"
+	"testing"
+
 	"github.com/Microsoft/go-winio"
 	"github.com/mitchellh/mapstructure"
 	"github.com/rabbitstack/fibratus/pkg/alertsender"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"io"
-	"net"
-	"sync"
-	"testing"
 )
 
 func handleMessage(t *testing.T, conn net.Conn, wg *sync.WaitGroup, msgs chan Msg) {
@@ -107,6 +108,7 @@ func decodeMsg(output any, data any) error {
 		DecodeHook: mapstructure.ComposeDecodeHookFunc(
 			mapstructure.StringToTimeDurationHookFunc(),
 			mapstructure.StringToSliceHookFunc(","),
+			alertsender.StringToSeverityDecodeHook(),
 		),
 	}
 	decoder, err := mapstructure.NewDecoder(decoderConfig)

pkg/config/config.schema.json

@@ -155,6 +155,10 @@
                 },
                 "verbose": {
                   "type": "boolean"
+                },
+                "format": {
+                  "type": "string",
+                  "enum": ["pretty", "json"]
                 }
               },
               "additionalProperties": false