def _dt_to_wmi(self, dt):
''' A wrapper around wmi.from_time to get a WMI-formatted time from a
time struct.
'''
return from_time(year=dt.year, month=dt.month, day=dt.day,
hours=dt.hour, minutes=dt.minute,
seconds=dt.second, microseconds=0, timezone=0)
def test_wql_eventlog_filtering(self):
"""
Format filters with the eventlog expected form to a comprehensive WQL `WHERE` clause.
"""
from checks.libs.wmi import sampler
from datetime import datetime
from checks.wmi_check import from_time
format_filter = sampler.WMISampler._format_filter
filters = []
query = {}
and_props = ["mEssage"]
ltypes = ["Error", "Warning"]
source_names = ["MSSQLSERVER", "IIS"]
log_files = ["System", "Security"]
event_codes = [302, 404, 501]
message_filters = ["-foo", "%bar%", "%zen%"]
last_ts = datetime(2016, 1, 1, 15, 8, 24, 78915)
query["TimeGenerated"] = (">=", from_time(last_ts))
query["Type"] = ("=", "footype")
query["User"] = ("=", "luser")
query["SourceName"] = ("=", "MSSQL")
query["LogFile"] = ("=", "thelogfile")
query["Type"] = []
for ltype in ltypes:
query["Type"].append(("=", ltype))
query["SourceName"] = []
for source_name in source_names:
query["SourceName"].append(("=", source_name))
query["LogFile"] = []
for log_file in log_files:
query["LogFile"].append(("=", log_file))
query["EventCode"] = []
for code in event_codes:
query["EventCode"].append(("=", code))
query["NOT Message"] = []
query["Message"] = []
for filt in message_filters:
if filt[0] == "-":
query["NOT Message"].append(("LIKE", filt[1:]))
else:
query["Message"].append(("LIKE", filt))
filters.append(query)
self.assertEquals(
" WHERE ( NOT Message LIKE 'foo' AND ( EventCode = '302' OR EventCode = '404' OR EventCode = '501' ) "
"AND ( SourceName = 'MSSQLSERVER' OR SourceName = 'IIS' ) AND TimeGenerated >= '2016-01-01 15:08:24.078915**********.******+' "
"AND User = '******' AND Message LIKE '%bar%' AND Message LIKE '%zen%' AND ( LogFile = 'System' OR LogFile = 'Security' ) "
"AND ( Type = 'Error' OR Type = 'Warning' ) )",
format_filter(filters, and_props),
)
def _dt_to_wmi(self, dt):
''' A wrapper around wmi.from_time to get a WMI-formatted time from a
time struct.
'''
return from_time(year=dt.year, month=dt.month, day=dt.day,
hours=dt.hour, minutes=dt.minute,
seconds=dt.second, microseconds=0, timezone=0)
def test_wql_eventlog_filtering(self):
"""
Format filters with the eventlog expected form to a comprehensive WQL `WHERE` clause.
"""
from checks.libs.wmi import sampler
from datetime import datetime
from checks.wmi_check import from_time
format_filter = sampler.WMISampler._format_filter
filters = []
query = {}
and_props = ['mEssage']
ltypes = ["Error", "Warning"]
source_names = ["MSSQLSERVER", "IIS"]
log_files = ["System", "Security"]
event_codes = [302, 404, 501]
message_filters = ["-foo", "%bar%", "%zen%"]
last_ts = datetime(2016, 1, 1, 15, 8, 24, 78915)
query['TimeGenerated'] = ('>=', from_time(last_ts))
query['Type'] = ('=', 'footype')
query['User'] = ('=', 'luser')
query['SourceName'] = ('=', 'MSSQL')
query['LogFile'] = ('=', 'thelogfile')
query['Type'] = []
for ltype in ltypes:
query['Type'].append(('=', ltype))
query['SourceName'] = []
for source_name in source_names:
query['SourceName'].append(('=', source_name))
query['LogFile'] = []
for log_file in log_files:
query['LogFile'].append(('=', log_file))
query['EventCode'] = []
for code in event_codes:
query['EventCode'].append(('=', code))
query['NOT Message'] = []
query['Message'] = []
for filt in message_filters:
if filt[0] == '-':
query['NOT Message'].append(('LIKE', filt[1:]))
else:
query['Message'].append(('LIKE', filt))
filters.append(query)
self.assertEquals(
" WHERE ( NOT Message LIKE 'foo' AND ( EventCode = '302' OR EventCode = '404' OR EventCode = '501' ) "
"AND ( SourceName = 'MSSQLSERVER' OR SourceName = 'IIS' ) AND TimeGenerated >= '2016-01-01 15:08:24.078915**********.******+' "
"AND User = '******' AND Message LIKE '%bar%' AND Message LIKE '%zen%' AND ( LogFile = 'System' OR LogFile = 'Security' ) "
"AND ( Type = 'Error' OR Type = 'Warning' ) )",
format_filter(filters, and_props))
def _dt_to_wmi(self, dt):
return from_time(year=dt.year, month=dt.month, day=dt.day,
hours=dt.hour, minutes=dt.minute,
seconds=dt.second, microseconds=0, timezone=0)