dfirtk_eventdata/
event_record_id.rs

1use std::fmt::Display;
2
3use evtx::SerializedEvtxRecord;
4
5use super::EvtxFieldView;
6
7#[derive(PartialEq, Eq, Clone)]
8pub struct EventRecordId (u64);
9
10impl<T> From<&SerializedEvtxRecord<T>> for EventRecordId {
11    fn from(value: &SerializedEvtxRecord<T>) -> Self {
12        Self(value.event_record_id)
13    }
14}
15
16// normally, we'd expect to have the maximum length of u64, but evtx does only store 32bit values,
17// so 10 characters should be fine
18const EVENT_RECORD_ID_MAX_LENGTH: usize = 10;
19impl EvtxFieldView for EventRecordId {
20    fn maximum_display_length(&self) -> usize {
21        EVENT_RECORD_ID_MAX_LENGTH
22    }
23
24    fn value_with_padding(&self) -> String {
25        format!("{:10}", self.0)
26    }
27}
28
29impl From<EventRecordId> for u64 {
30    fn from(me: EventRecordId) -> Self {
31        me.0
32    }
33}
34
35impl From<u64> for EventRecordId {
36    fn from(id: u64) -> Self {
37        Self(id)
38    }
39}
40
41impl Display for EventRecordId {
42    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
43        self.0.fmt(f)
44    }
45}
dfirtk_eventdata/event_record_id.rs

dfirtk_eventdata/
event_record_id.rs
