filename = os.path.basename(filename.replace("\\", "/"))
dbh.execute(
"insert into EventMessageSources set filename=%r, source=%r",
(filename, appname))
print "Added source '%s' as file %r" % (appname, filename)
except (KeyError, DB.DBError):
pass
elif config.mode == 'event':
import FileFormats.EVTLog as EVTLog
dbh = DB.DBO()
for filename in config.args:
fd = open(filename)
b = Buffer(fd=fd)
header = EVTLog.Header(b)
b = b[header.size():]
while 1:
try:
event = EVTLog.Event(b)
source = event['Source'].get_value()
machine = event['Machine'].get_value()
## Find the filename for this source:
dbh.execute(
"select filename from EventMessageSources where source=%r",
source)
row = dbh.fetch()
if row:
def get_fields(self):
if self.datafile==None:
raise IOError("Datafile is not set!!!")
print "Datafile %s" % (self.datafile,)
for file in self.datafile:
## open the file as a url:
fd = IO.open_URL(file)
dbh = DB.DBO()
buffer = Buffer(fd=fd)
header = EVTLog.Header(buffer)
buffer = buffer[header.size():]
while 1:
try:
event = EVTLog.Event(buffer)
source = event['Source'].get_value()
machine = event['Machine'].get_value()
## Find the filename for this source:
dbh.execute("select filename from EventMessageSources where source=%r", source)
row=dbh.fetch()
if row:
dbh.execute("select message from EventMessages where filename=%r and message_id=%r", (row['filename'], event['EventID'].get_value()))
row = dbh.fetch()
if row:
message=EVTLog.format_message(row['message'],event['Strings'])
## Message not found
else:
message="Unable to find message format string (Maybe file was not loaded with --mode=dll?). Parameters are: %s" % event['Strings']
## Filename not found for this source:
else: message="Unable to locate file for source %s. Maybe you need to run EventLogTool with the --reg flag on the SYSTEM registry hive? Parameters are: %s " % (source,event['Strings'])
buffer=buffer[event.size():]
result = dict(
_time= "from_unixtime('%s')" % event['TimeGenerated'].get_value(),
message= message,
event = event['EventID'].get_value(),
Source = event['Source'].get_value(),
record = event['RecordNumber'].get_value(),
)
try:
result['arg1'] = event['Strings'][0].get_value()
except: pass
try:
result['arg2'] = event['Strings'][1].get_value()
except: pass
try:
result['arg3'] = event['Strings'][2].get_value()
except: pass
yield result
except IOError:
break
def get_fields(self):
if self.datafile == None:
raise IOError("Datafile is not set!!!")
print "Datafile %s" % (self.datafile, )
for file in self.datafile:
## open the file as a url:
fd = IO.open_URL(file)
dbh = DB.DBO()
buffer = Buffer(fd=fd)
header = EVTLog.Header(buffer)
buffer = buffer[header.size():]
while 1:
try:
event = EVTLog.Event(buffer)
source = event['Source'].get_value()
machine = event['Machine'].get_value()
## Find the filename for this source:
dbh.execute(
"select filename from EventMessageSources where source=%r",
source)
row = dbh.fetch()
if row:
dbh.execute(
"select message from EventMessages where filename=%r and message_id=%r",
(row['filename'], event['EventID'].get_value()))
row = dbh.fetch()
if row:
message = EVTLog.format_message(
row['message'], event['Strings'])
## Message not found
else:
message = "Unable to find message format string (Maybe file was not loaded with --mode=dll?). Parameters are: %s" % event[
'Strings']
## Filename not found for this source:
else:
message = "Unable to locate file for source %s. Maybe you need to run EventLogTool with the --reg flag on the SYSTEM registry hive? Parameters are: %s " % (
source, event['Strings'])
buffer = buffer[event.size():]
result = dict(
_time="from_unixtime('%s')" %
event['TimeGenerated'].get_value(),
message=message,
event=event['EventID'].get_value(),
Source=event['Source'].get_value(),
record=event['RecordNumber'].get_value(),
)
try:
result['arg1'] = event['Strings'][0].get_value()
except:
pass
try:
result['arg2'] = event['Strings'][1].get_value()
except:
pass
try:
result['arg3'] = event['Strings'][2].get_value()
except:
pass
yield result
except IOError:
break
b=b[header.size():]
while 1:
try:
event = EVTLog.Event(b)
source = event['Source'].get_value()
machine = event['Machine'].get_value()
## Find the filename for this source:
dbh.execute("select filename from EventMessageSources where source=%r", source)
row=dbh.fetch()
if row:
dbh.execute("select message from EventMessages where filename=%r and message_id=%r", (row['filename'], event['EventID'].get_value()))
row = dbh.fetch()
if row:
message=EVTLog.format_message(row['message'],event['Strings'])
## Message not found
else:
message="Unable to find message format string (Maybe file was not loaded with --mode=dll?). Parameters are: %s" % event['Strings']
## Filename not found for this source:
else: message="Unable to locate file for source %s. Maybe you need to run EventLogTool with the --reg flag on the SYSTEM registry hive? Parameters are: %s " % (source,event['Strings'])
print "%s '%s' %s %s %s" % (event['TimeGenerated'],event['Source'],event['EventType'], event['Machine'],message)
b=b[event.size():]
except IOError,e:
## print e
break