[CWS] improve windows logs (#35093)

safchain · arbll · commit 57f489154889 · 2025-03-19T13:16:48.000+01:00
diff --git a/pkg/security/probe/probe_kernel_file_windows.go b/pkg/security/probe/probe_kernel_file_windows.go
@@ -221,10 +221,10 @@ func (wp *WindowsProbe) parseCreateNewFileArgs(e *etw.DDEventRecord) (*createNew
 func (ca *createHandleArgs) string(t string) string {
 	var output strings.Builder
 
-	output.WriteString(t + " PID: " + strconv.Itoa(int(ca.ProcessID)) + "\n")
-	output.WriteString("         Name: " + ca.fileName + "\n")
-	output.WriteString("         Opts: " + strconv.FormatUint(uint64(ca.createOptions), 16) + " Share: " + strconv.FormatUint(uint64(ca.shareAccess), 16) + "\n")
-	output.WriteString("         OBJ:  " + strconv.FormatUint(uint64(ca.fileObject), 16) + "\n")
+	output.WriteString(t + " PID: " + strconv.Itoa(int(ca.ProcessID)) + ", ")
+	output.WriteString("Name: " + ca.fileName + ", ")
+	output.WriteString("Opts: " + strconv.FormatUint(uint64(ca.createOptions), 16) + " Share: " + strconv.FormatUint(uint64(ca.shareAccess), 16) + ",")
+	output.WriteString("Obj: " + strconv.FormatUint(uint64(ca.fileObject), 16))
 
 	return output.String()
 }
@@ -316,11 +316,11 @@ func (wp *WindowsProbe) parseInformationArgs(e *etw.DDEventRecord) (*setInformat
 func (sia *setInformationArgs) string(t string) string {
 	var output strings.Builder
 
-	output.WriteString(t + " TID: " + strconv.Itoa(int(sia.threadID)) + "\n")
-	output.WriteString("      Name: " + sia.fileName + "\n")
-	output.WriteString("      InfoClass: " + strconv.FormatUint(uint64(sia.infoClass), 16) + "\n")
-	output.WriteString("         OBJ:  " + strconv.FormatUint(uint64(sia.fileObject), 16) + "\n")
-	output.WriteString("         KEY:  " + strconv.FormatUint(uint64(sia.fileKey), 16) + "\n")
+	output.WriteString(t + " TID: " + strconv.Itoa(int(sia.threadID)) + ", ")
+	output.WriteString("Name: " + sia.fileName + ", ")
+	output.WriteString("InfoClass: " + strconv.FormatUint(uint64(sia.infoClass), 16) + ", ")
+	output.WriteString("Obj: " + strconv.FormatUint(uint64(sia.fileObject), 16) + ", ")
+	output.WriteString("Key: " + strconv.FormatUint(uint64(sia.fileKey), 16))
 
 	return output.String()
 
@@ -473,10 +473,10 @@ func (wp *WindowsProbe) parseFlushArgs(e *etw.DDEventRecord) (*flushArgs, error)
 func (ca *cleanupArgs) string(t string) string {
 	var output strings.Builder
 
-	output.WriteString(t + ": TID: " + strconv.Itoa(int(ca.threadID)) + "\n")
-	output.WriteString("           Name: " + ca.fileName + "\n")
-	output.WriteString("         OBJ:  " + strconv.FormatUint(uint64(ca.fileObject), 16) + "\n")
-	output.WriteString("         KEY:  " + strconv.FormatUint(uint64(ca.fileKey), 16) + "\n")
+	output.WriteString(t + ": TID: " + strconv.Itoa(int(ca.threadID)) + ", ")
+	output.WriteString("Name: " + ca.fileName + ", ")
+	output.WriteString("Obj: " + strconv.FormatUint(uint64(ca.fileObject), 16) + ", ")
+	output.WriteString("Key: " + strconv.FormatUint(uint64(ca.fileKey), 16))
 	return output.String()
 
 }
@@ -511,7 +511,7 @@ type readArgs struct {
 }
 type writeArgs readArgs
 
-func (wp *WindowsProbe) parseReadArgs(e *etw.DDEventRecord) (*readArgs, error) {
+func (wp *WindowsProbe) parseReadWriteArgs(e *etw.DDEventRecord) (*readArgs, error) {
 	ra := &readArgs{
 		DDEventHeader: e.EventHeader,
 	}
@@ -554,11 +554,11 @@ func (wp *WindowsProbe) parseReadArgs(e *etw.DDEventRecord) (*readArgs, error) {
 func (ra *readArgs) string(t string) string {
 	var output strings.Builder
 
-	output.WriteString(t + ": PID: " + strconv.Itoa(int(ra.DDEventHeader.ProcessID)) + "\n")
-	output.WriteString("        fo: " + strconv.FormatUint(uint64(ra.fileObject), 16) + "\n")
-	output.WriteString("        fk: " + strconv.FormatUint(uint64(ra.fileKey), 16) + "\n")
-	output.WriteString("        Name: " + ra.fileName + "\n")
-	output.WriteString("        Size: " + strconv.FormatUint(uint64(ra.IOSize), 16) + "\n")
+	output.WriteString(t + ": PID: " + strconv.Itoa(int(ra.DDEventHeader.ProcessID)) + ", ")
+	output.WriteString("Obj: " + strconv.FormatUint(uint64(ra.fileObject), 16) + ", ")
+	output.WriteString("Key: " + strconv.FormatUint(uint64(ra.fileKey), 16) + ", ")
+	output.WriteString("Name: " + ra.fileName + ", ")
+	output.WriteString("Size: " + strconv.FormatUint(uint64(ra.IOSize), 16))
 	return output.String()
 
 }
@@ -569,7 +569,7 @@ func (ra *readArgs) String() string {
 }
 
 func (wp *WindowsProbe) parseWriteArgs(e *etw.DDEventRecord) (*writeArgs, error) {
-	wa, err := wp.parseReadArgs(e)
+	wa, err := wp.parseReadWriteArgs(e)
 	if err != nil {
 		return nil, err
 	}
@@ -660,10 +660,10 @@ func (wp *WindowsProbe) parseDeletePathArgs(e *etw.DDEventRecord) (*deletePathAr
 func (dpa *deletePathArgs) string(t string) string {
 	var output strings.Builder
 
-	output.WriteString(t + ": PID: " + strconv.Itoa(int(dpa.ProcessID)) + "\n")
-	output.WriteString("        Name: " + dpa.filePath + "\n")
-	output.WriteString("        OBJ: " + strconv.FormatUint(uint64(dpa.fileObject), 16) + "\n")
-	output.WriteString("        KEY: " + strconv.FormatUint(uint64(dpa.fileKey), 16) + "\n")
+	output.WriteString(t + ": PID: " + strconv.Itoa(int(dpa.ProcessID)) + ", ")
+	output.WriteString("Name: " + dpa.filePath + ", ")
+	output.WriteString("Obj: " + strconv.FormatUint(uint64(dpa.fileObject), 16) + ", ")
+	output.WriteString("Key: " + strconv.FormatUint(uint64(dpa.fileKey), 16))
 	return output.String()
 
 }
@@ -733,8 +733,8 @@ func (wp *WindowsProbe) parseNameCreateArgs(e *etw.DDEventRecord) (*nameCreateAr
 func (ca *nameCreateArgs) string(t string) string {
 	var output strings.Builder
 
-	output.WriteString(t + ": KEY: " + strconv.FormatUint(uint64(ca.fileKey), 16) + "\n")
-	output.WriteString("        Name: " + ca.fileName + "\n")
+	output.WriteString(t + ": Key: " + strconv.FormatUint(uint64(ca.fileKey), 16) + ", ")
+	output.WriteString("Name: " + ca.fileName)
 	return output.String()
 
 }
diff --git a/pkg/security/probe/probe_kernel_reg_windows.go b/pkg/security/probe/probe_kernel_reg_windows.go
@@ -197,13 +197,13 @@ func (cka *createKeyArgs) String() string {
 
 	var output strings.Builder
 
-	output.WriteString("  PID: " + strconv.Itoa(int(cka.ProcessID)) + "\n")
-	output.WriteString("  Status: " + strconv.Itoa(int(cka.status)) + " Disposition: " + strconv.Itoa(int(cka.disposition)) + "\n")
-	output.WriteString("  baseObject: " + strconv.FormatUint(uint64(cka.baseObject), 16) + "\n")
-	output.WriteString("  keyObject: " + strconv.FormatUint(uint64(cka.keyObject), 16) + "\n")
-	output.WriteString("  basename: " + cka.baseName + "\n")
-	output.WriteString("  relativename: " + cka.relativeName + "\n")
-	output.WriteString("  computedfullpath: " + cka.computedFullPath + "\n")
+	output.WriteString("PID: " + strconv.Itoa(int(cka.ProcessID)) + ", ")
+	output.WriteString("Status: " + strconv.Itoa(int(cka.status)) + " Disposition: " + strconv.Itoa(int(cka.disposition)) + ", ")
+	output.WriteString("BaseObject: " + strconv.FormatUint(uint64(cka.baseObject), 16) + ", ")
+	output.WriteString("KeyObject: " + strconv.FormatUint(uint64(cka.keyObject), 16) + ", ")
+	output.WriteString("Basename: " + cka.baseName + ", ")
+	output.WriteString("Relativename: " + cka.relativeName + ", ")
+	output.WriteString("Computedfullpath: " + cka.computedFullPath)
 	return output.String()
 }
 
@@ -262,10 +262,10 @@ func (wp *WindowsProbe) parseSetSecurityKeyArgs(e *etw.DDEventRecord) (*setSecur
 func (dka *deleteKeyArgs) String() string {
 	var output strings.Builder
 
-	output.WriteString("  PID: " + strconv.Itoa(int(dka.ProcessID)) + "\n")
-	output.WriteString("  Status: " + strconv.Itoa(int(dka.status)) + "\n")
-	output.WriteString("  keyName: " + dka.keyName + "\n")
-	output.WriteString("  resolved path: " + dka.computedFullPath + "\n")
+	output.WriteString("PID: " + strconv.Itoa(int(dka.ProcessID)) + ", ")
+	output.WriteString("Status: " + strconv.Itoa(int(dka.status)) + ", ")
+	output.WriteString("KeyName: " + dka.keyName + "\n")
+	output.WriteString("Resolved path: " + dka.computedFullPath)
 
 	//output.WriteString("  CapturedSize: " + strconv.Itoa(int(sv.capturedPreviousDataSize)) + " pvssize: " + strconv.Itoa(int(sv.previousDataSize)) + " capturedpvssize " + strconv.Itoa(int(sv.capturedPreviousDataSize)) + "\n")
 	return output.String()
@@ -351,12 +351,12 @@ func (wp *WindowsProbe) parseSetValueKey(e *etw.DDEventRecord) (*setValueKeyArgs
 func (sv *setValueKeyArgs) String() string {
 	var output strings.Builder
 
-	output.WriteString("  PID: " + strconv.Itoa(int(sv.ProcessID)) + "\n")
-	output.WriteString("  Status: " + strconv.Itoa(int(sv.status)) + " dataType: " + strconv.Itoa(int(sv.dataType)) + " dataSize " + strconv.Itoa(int(sv.dataSize)) + "\n")
-	output.WriteString("  keyObject: " + strconv.FormatUint(uint64(sv.keyObject), 16) + "\n")
-	output.WriteString("  keyName: " + sv.keyName + "\n")
-	output.WriteString("  valueName: " + sv.valueName + "\n")
-	output.WriteString("  computed path: " + sv.computedFullPath + "\n")
+	output.WriteString("PID: " + strconv.Itoa(int(sv.ProcessID)) + ", ")
+	output.WriteString("Status: " + strconv.Itoa(int(sv.status)) + " dataType: " + strconv.Itoa(int(sv.dataType)) + " dataSize " + strconv.Itoa(int(sv.dataSize)) + ", ")
+	output.WriteString("KeyObject: " + strconv.FormatUint(uint64(sv.keyObject), 16) + ", ")
+	output.WriteString("KeyName: " + sv.keyName + ", ")
+	output.WriteString("CalueName: " + sv.valueName + ", ")
+	output.WriteString("Computed path: " + sv.computedFullPath)
 
 	//output.WriteString("  CapturedSize: " + strconv.Itoa(int(sv.capturedPreviousDataSize)) + " pvssize: " + strconv.Itoa(int(sv.previousDataSize)) + " capturedpvssize " + strconv.Itoa(int(sv.capturedPreviousDataSize)) + "\n")
 	return output.String()
diff --git a/pkg/security/probe/probe_windows.go b/pkg/security/probe/probe_windows.go
