def _LoadUserActivity(self, start_time, end_time, token):
if data_store.RelationalDBReadEnabled():
for entry in data_store.REL_DB.ReadAPIAuditEntries(
min_timestamp=start_time):
yield entry.username, entry.timestamp
else:
for fd in audit.LegacyAuditLogsForTimespan(
start_time=start_time - audit.AUDIT_ROLLOVER_TIME,
end_time=end_time,
token=token):
for event in fd.GenerateItems():
yield event.user, event.timestamp
def _LoadUserActivity(self, start_time, end_time, token):
if data_store.RelationalDBReadEnabled():
counts = data_store.REL_DB.CountAPIAuditEntriesByUserAndDay(
min_timestamp=start_time, max_timestamp=end_time)
for (username, day), count in iteritems(counts):
yield username, day, count
else:
for fd in audit.LegacyAuditLogsForTimespan(
start_time=start_time - audit.AUDIT_ROLLOVER_TIME,
end_time=end_time,
token=token):
for event in fd.GenerateItems():
yield event.user, event.timestamp, 1
def GetAuditLogEntries(offset, now, token):
"""Return all audit log entries between now-offset and now.
Args:
offset: rdfvalue.Duration how far back to look in time
now: rdfvalue.RDFDatetime for current time
token: GRR access token
Yields:
AuditEvents created during the time range
"""
start_time = now - offset - audit.AUDIT_ROLLOVER_TIME
for fd in audit.LegacyAuditLogsForTimespan(start_time, now, token):
for event in fd.GenerateItems():
if now - offset < event.timestamp < now:
yield event
def _LoadUserActivity(self, token):
week_duration = rdfvalue.Duration("7d")
now = rdfvalue.RDFDatetime.Now()
start_time = now - week_duration * self.WEEKS
if data_store.RelationalDBReadEnabled():
for entry in data_store.REL_DB.ReadAPIAuditEntries(
min_timestamp=start_time):
yield entry.username, entry.timestamp
else:
for fd in audit.LegacyAuditLogsForTimespan(
start_time=start_time - audit.AUDIT_ROLLOVER_TIME,
end_time=now,
token=token):
for event in fd.GenerateItems():
yield event.user, event.timestamp
def testAuditLogsForTimespan(self):
two_weeks_ago = rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("2w")
with test_lib.FakeTime(two_weeks_ago):
AddFakeAuditLog("Fake outdated audit log.", token=self.token)
AddFakeAuditLog("Fake audit description foo.", token=self.token)
AddFakeAuditLog("Fake audit description bar.", token=self.token)
audit_events = {
ev.description: ev for fd in audit.LegacyAuditLogsForTimespan(
rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1d"),
rdfvalue.RDFDatetime.Now(),
token=self.token) for ev in fd.GenerateItems()
}
self.assertIn("Fake audit description foo.", audit_events)
self.assertIn("Fake audit description bar.", audit_events)
self.assertNotIn("Fake outdated audit log.", audit_events)
def GetReportData(self, get_report_args, token):
"""Filter the last week of user actions."""
ret = rdf_report_plugins.ApiReportData(
representation_type=rdf_report_plugins.ApiReportData.
RepresentationType.STACK_CHART)
try:
user_activity = {}
week_duration = rdfvalue.Duration("7d")
offset = rdfvalue.Duration("%dw" % self.WEEKS)
now = rdfvalue.RDFDatetime.Now()
start_time = now - offset - audit.AUDIT_ROLLOVER_TIME
try:
for fd in audit.LegacyAuditLogsForTimespan(
start_time, now, token):
for event in fd.GenerateItems():
for week in range(self.__class__.WEEKS):
start = now - week * week_duration
if start < event.timestamp < (start +
week_duration):
weekly_activity = user_activity.setdefault(
event.user, [[x, 0] for x in range(
-self.__class__.WEEKS, 0, 1)])
weekly_activity[-week][1] += 1
except ValueError: # Couldn't find any logs..
pass
ret.stack_chart.data = sorted(
(rdf_report_plugins.ApiReportDataSeries2D(
label=user,
points=(rdf_report_plugins.ApiReportDataPoint2D(x=x, y=y)
for x, y in data))
for user, data in iteritems(user_activity)
if user not in aff4_users.GRRUser.SYSTEM_USERS),
key=lambda series: series.label)
except IOError:
pass
return ret
def GetAuditLogEntries(offset, now, token):
"""Return all audit log entries between now-offset and now.
Args:
offset: rdfvalue.Duration how far back to look in time
now: rdfvalue.RDFDatetime for current time
token: GRR access token
Raises:
ValueError: No logs were found.
Yields:
AuditEvents created during the time range
"""
start_time = now - offset - audit.AUDIT_ROLLOVER_TIME
logs_found = False
for fd in audit.LegacyAuditLogsForTimespan(start_time, now, token):
logs_found = True
for event in fd.GenerateItems():
if now - offset < event.timestamp < now:
yield event
if not logs_found:
raise ValueError("Couldn't find any logs in aff4:/audit/logs "
"between %s and %s" % (start_time, now))