Python WinEvtParser Examples, plaso.parsers.winevt.WinEvtParser Python Examples

Example #1

0

Show file

    def testParse(self):
        """Tests the Parse function."""
        parser = winevt.WinEvtParser()
        storage_writer = self._ParseFile(['SysEvent.Evt'], parser)

        # Windows Event Log (EVT) information:
        #	Version                     : 1.1
        #	Number of records           : 6063
        #	Number of recovered records : 438
        #	Log type                    : System

        self.assertEqual(storage_writer.number_of_events, (6063 + 438) * 2)
        self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
        self.assertEqual(storage_writer.number_of_recovery_warnings, 0)

        events = list(storage_writer.GetEvents())

        expected_event_values = {
            'date_time': '2011-07-27 06:41:47',
            'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
        }

        self.CheckEventValues(storage_writer, events[0], expected_event_values)

        # Event number      : 1392
        # Creation time     : Jul 27, 2011 06:41:47 UTC
        # Written time      : Jul 27, 2011 06:41:47 UTC
        # Event type        : Warning event (2)
        # Computer name     : WKS-WINXP32BIT
        # Source name       : LSASRV
        # Event category    : 3
        # Event identifier  : 0x8000a001 (2147524609)
        # Number of strings : 2
        # String: 1         : cifs/CONTROLLER
        # String: 2         : "The system detected a possible attempt to compromise
        #                     security. Please ensure that you can contact the
        #                     server that authenticated you.\r\n (0xc0000388)"

        expected_string2 = (
            '"The system detected a possible attempt to compromise security. '
            'Please ensure that you can contact the server that authenticated you.'
            '\r\n (0xc0000388)"')

        expected_event_values = {
            'computer_name': 'WKS-WINXP32BIT',
            'date_time': '2011-07-27 06:41:47',
            'data_type': 'windows:evt:record',
            'event_category': 3,
            'event_identifier': 40961,
            'event_type': 2,
            'record_number': 1392,
            'severity': 2,
            'source_name': 'LSASRV',
            'strings': ['cifs/CONTROLLER', expected_string2],
            'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN
        }

        self.CheckEventValues(storage_writer, events[1], expected_event_values)

Example #2

0

Show file

File: winevt.py Project: arunthirukkonda/plaso

  def testParse(self):
    """Tests the Parse function."""
    parser = winevt.WinEvtParser()
    storage_writer = self._ParseFile(['SysEvent.Evt'], parser)

    # Windows Event Log (EVT) information:
    #	Version                     : 1.1
    #	Number of records           : 6063
    #	Number of recovered records : 437
    #	Log type                    : System

    self.assertEqual(storage_writer.number_of_events, (6063 + 437) * 2)

    events = list(storage_writer.GetEvents())

    event = events[0]

    expected_timestamp = timelib.Timestamp.CopyFromString(
        '2011-07-27 06:41:47')
    self.assertEqual(event.timestamp, expected_timestamp)
    self.assertEqual(
        event.timestamp_desc, definitions.TIME_DESCRIPTION_CREATION)

    event = events[1]

    # Event number      : 1392
    # Creation time     : Jul 27, 2011 06:41:47 UTC
    # Written time      : Jul 27, 2011 06:41:47 UTC
    # Event type        : Warning event (2)
    # Computer name     : WKS-WINXP32BIT
    # Source name       : LSASRV
    # Event category    : 3
    # Event identifier  : 0x8000a001 (2147524609)
    # Number of strings : 2
    # String: 1         : cifs/CONTROLLER
    # String: 2         : "The system detected a possible attempt to compromise
    #                     security. Please ensure that you can contact the
    #                     server that authenticated you.\r\n (0xc0000388)"

    self.assertEqual(event.record_number, 1392)
    self.assertEqual(event.event_type, 2)
    self.assertEqual(event.computer_name, 'WKS-WINXP32BIT')
    self.assertEqual(event.source_name, 'LSASRV')
    self.assertEqual(event.event_category, 3)
    self.assertEqual(event.event_identifier, 40961)
    self.assertEqual(event.strings[0], 'cifs/CONTROLLER')

    expected_string = (
        '"The system detected a possible attempt to compromise security. '
        'Please ensure that you can contact the server that authenticated you.'
        '\r\n (0xc0000388)"')

    self.assertEqual(event.strings[1], expected_string)

    expected_timestamp = timelib.Timestamp.CopyFromString(
        '2011-07-27 06:41:47')
    self.assertEqual(event.timestamp, expected_timestamp)

    self.assertEqual(
        event.timestamp_desc, definitions.TIME_DESCRIPTION_WRITTEN)

    expected_message = (
        '[40961 / 0xa001] '
        'Severity: Warning '
        'Record Number: 1392 '
        'Event Type: Information event '
        'Event Category: 3 '
        'Source Name: LSASRV '
        'Computer Name: WKS-WINXP32BIT '
        'Strings: [\'cifs/CONTROLLER\', '
        '\'"The system detected a possible attempt to '
        'compromise security. Please ensure that you can '
        'contact the server that authenticated you. (0xc0000388)"\']')

    expected_short_message = (
        '[40961 / 0xa001] '
        'Strings: [\'cifs/CONTROLLER\', '
        '\'"The system detected a possibl...')

    self._TestGetMessageStrings(event, expected_message, expected_short_message)

Example #3

0

Show file

 def setUp(self):
     """Makes preparations before running an individual test."""
     self._parser = winevt.WinEvtParser()

Example #4

0

Show file

 def setUp(self):
     """Sets up the needed objects used throughout the test."""
     pre_obj = event.PreprocessObject()
     self._parser = winevt.WinEvtParser(pre_obj, None)

Example #5

0

Show file

File: winevt_test.py Project: cvandeplas/plaso

 def setUp(self):
     """Sets up the needed objects used throughout the test."""
     self._parser = winevt.WinEvtParser()

Example #6

0

Show file

    def testParse(self):
        """Tests the Parse function."""
        parser_object = winevt.WinEvtParser()

        test_file = self._GetTestFilePath([u'SysEvent.Evt'])
        event_queue_consumer = self._ParseFile(parser_object, test_file)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        # Windows Event Log (EVT) information:
        #	Version                     : 1.1
        #	Number of records           : 6063
        #	Number of recovered records : 437
        #	Log type                    : System

        self.assertEqual(len(event_objects), (6063 + 437) * 2)

        # Event number      : 1392
        # Creation time     : Jul 27, 2011 06:41:47 UTC
        # Written time      : Jul 27, 2011 06:41:47 UTC
        # Event type        : Warning event (2)
        # Computer name     : WKS-WINXP32BIT
        # Source name       : LSASRV
        # Event category    : 3
        # Event identifier  : 0x8000a001 (2147524609)
        # Number of strings : 2
        # String: 1         : cifs/CONTROLLER
        # String: 2         : "The system detected a possible attempt to compromise
        #                     security. Please ensure that you can contact the
        #                     server that authenticated you.\r\n (0xc0000388)"
        event_object = event_objects[1]
        self.assertEqual(event_object.record_number, 1392)
        self.assertEqual(event_object.event_type, 2)
        self.assertEqual(event_object.computer_name, u'WKS-WINXP32BIT')
        self.assertEqual(event_object.source_name, u'LSASRV')
        self.assertEqual(event_object.event_category, 3)
        self.assertEqual(event_object.event_identifier, 40961)
        self.assertEqual(event_object.strings[0], u'cifs/CONTROLLER')

        expected_string = (
            u'"The system detected a possible attempt to compromise security. '
            u'Please ensure that you can contact the server that authenticated you.'
            u'\r\n (0xc0000388)"')

        self.assertEqual(event_object.strings[1], expected_string)

        event_object = event_objects[0]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2011-07-27 06:41:47')
        self.assertEqual(event_object.timestamp, expected_timestamp)
        self.assertEqual(event_object.timestamp_desc,
                         eventdata.EventTimestamp.CREATION_TIME)

        event_object = event_objects[1]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2011-07-27 06:41:47')
        self.assertEqual(event_object.timestamp, expected_timestamp)

        self.assertEqual(event_object.timestamp_desc,
                         eventdata.EventTimestamp.WRITTEN_TIME)

        expected_msg = (
            u'[40961 / 0xa001] '
            u'Severity: Warning '
            u'Record Number: 1392 '
            u'Event Type: Information event '
            u'Event Category: 3 '
            u'Source Name: LSASRV '
            u'Computer Name: WKS-WINXP32BIT '
            u'Strings: [\'cifs/CONTROLLER\', '
            u'\'"The system detected a possible attempt to '
            u'compromise security. Please ensure that you can '
            u'contact the server that authenticated you. (0xc0000388)"\']')

        expected_msg_short = (u'[40961 / 0xa001] '
                              u'Strings: [\'cifs/CONTROLLER\', '
                              u'\'"The system detected a possibl...')

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)