def _AnalyzeEvents(self, session, configuration, status_update_callback=None):
"""Analyzes events in a Plaso storage.
Args:
session (Session): session in which the events are analyzed.
configuration (ProcessingConfiguration): processing configuration.
status_update_callback (Optional[function]): callback function for status
updates.
Returns:
ProcessingStatus: processing status.
Raises:
RuntimeError: if a non-recoverable situation is encountered.
"""
storage_writer = storage_factory.StorageFactory.CreateStorageWriterForFile(
self._storage_file_path)
if not storage_writer:
raise RuntimeError('Unable to create storage writer.')
# TODO: add single process analysis engine support.
analysis_engine = multi_analysis_engine.AnalysisMultiProcessEngine(
worker_memory_limit=self._worker_memory_limit,
worker_timeout=self._worker_timeout)
storage_writer.Open(path=self._storage_file_path)
processing_status = None
try:
session_start = session.CreateSessionStart()
storage_writer.AddAttributeContainer(session_start)
try:
session_configuration = self._CreateAnalysisSessionConfiguration(
session)
storage_writer.AddAttributeContainer(session_configuration)
processing_status = analysis_engine.AnalyzeEvents(
session, self._knowledge_base, storage_writer, self._data_location,
self._analysis_plugins, configuration,
event_filter=self._event_filter,
event_filter_expression=self._event_filter_expression,
status_update_callback=status_update_callback,
storage_file_path=self._storage_file_path)
finally:
session.aborted = getattr(processing_status, 'aborted', True)
session_completion = session.CreateSessionCompletion()
storage_writer.AddAttributeContainer(session_completion)
finally:
storage_writer.Close()
return processing_status
def testAnalyzeEventsWithEventFilter(self):
"""Tests the AnalyzeEvents function with an event filter."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath(
['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
storage_writer.Open(path=temp_file)
try:
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 2)
test_engine.AnalyzeEvents(session,
knowledge_base_object,
storage_writer,
data_location,
analysis_plugins,
configuration,
event_filter=test_filter,
storage_file_path=temp_directory)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 3)
finally:
storage_writer.Close()
def testInternalAnalyzeEvents(self):
"""Tests the _AnalyzeEvents function."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath([
'tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
self._ReadSessionConfiguration(temp_file, knowledge_base_object)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
test_engine._processing_configuration = configuration
test_engine._session = session
test_engine._storage_file_path = temp_directory
test_engine._StartTaskStorage(definitions.STORAGE_FORMAT_SQLITE)
test_engine._StartAnalysisProcesses(analysis_plugins)
storage_writer.Open(path=temp_file)
try:
events_counter = test_engine._AnalyzeEvents(
storage_writer, analysis_plugins)
finally:
storage_writer.Close()
test_engine._StopAnalysisProcesses()
self.assertIsNotNone(events_counter)
self.assertEqual(events_counter['Events filtered'], 0)
self.assertEqual(events_counter['Events processed'], 38)