Python SystemdJournalParser Exemples

Exemple #1

    def testParse(self):
        """Tests the Parse function."""
        parser = systemd_journal.SystemdJournalParser()
        journal = self._ParseFile([u'systemd', u'journal', u'system.journal'],
                                  parser)

        self.assertEqual(len(journal.events), 2101)

        event = journal.events[0]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2017-01-27 09:40:55.913258')

        self.assertEqual(event.timestamp, expected_timestamp)

        expected_message = (
            u'test-VirtualBox [systemd, pid: 1] Started User Manager for '
            u'UID 1000.')
        self._TestGetMessageStrings(event, expected_message, expected_message)

        # This event uses XZ compressed data
        event = journal.events[2098]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2017-02-06 16:24:32.564585')

        self.assertEqual(event.timestamp, expected_timestamp)

        expected_message = u'test-VirtualBox [root, pid: 22921] {0:s}'.format(
            u'a' * 692)
        expected_short_message = u'{0:s}...'.format(expected_message[:77])
        self._TestGetMessageStrings(event, expected_message,
                                    expected_short_message)

Exemple #2

Fichier : systemd_journal.py Projet : no-sec/plaso

    def testParse(self):
        """Tests the Parse function."""
        parser = systemd_journal.SystemdJournalParser()
        storage_writer = self._ParseFile(
            ['systemd', 'journal', 'system.journal'], parser)

        self.assertEqual(storage_writer.number_of_events, 2101)

        events = list(storage_writer.GetEvents())

        event = events[0]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            '2017-01-27 09:40:55.913258')

        self.assertEqual(event.timestamp, expected_timestamp)

        expected_message = (
            'test-VirtualBox [systemd, pid: 1] Started User Manager for '
            'UID 1000.')
        self._TestGetMessageStrings(event, expected_message, expected_message)

        # This event uses XZ compressed data
        event = events[2098]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            '2017-02-06 16:24:32.564585')

        self.assertEqual(event.timestamp, expected_timestamp)

        expected_message = 'test-VirtualBox [root, pid: 22921] {0:s}'.format(
            'a' * 692)
        expected_short_message = '{0:s}...'.format(expected_message[:77])
        self._TestGetMessageStrings(event, expected_message,
                                    expected_short_message)

Exemple #3

    def testParseLZ4(self):
        """Tests the Parse function on a journal with LZ4 compressed events."""
        parser = systemd_journal.SystemdJournalParser()
        storage_writer = self._ParseFile(
            ['systemd', 'journal', 'system.journal.lz4'], parser)

        self.assertEqual(storage_writer.number_of_events, 85)

        events = list(storage_writer.GetEvents())

        event = events[0]

        self.CheckTimestamp(event.timestamp, '2018-07-03 15:00:16.682340')

        expected_message = 'testlol [systemd, pid: 822] Reached target Paths.'
        self._TestGetMessageStrings(event, expected_message, expected_message)

        # This event uses LZ4 compressed data
        event = events[84]

        self.CheckTimestamp(event.timestamp, '2018-07-03 15:19:04.667807')

        # source: https://github.com/systemd/systemd/issues/6237
        # The text used in the test message was triplicated to make it long enough
        # to trigger the LZ4 compression.
        expected_message = ('testlol [test, pid: 34757]  textual user names.' + (
            '  Yes, as you found out 0day is not a valid username. I wonder which '
            'tool permitted you to create it in the first place. Note that not '
            'permitting numeric first characters is done on purpose: to avoid '
            'ambiguities between numeric UID and textual user names.' * 3))
        expected_short_message = '{0:s}...'.format(expected_message[:77])
        self._TestGetMessageStrings(event, expected_message,
                                    expected_short_message)

Exemple #4

  def testParse(self):
    """Tests the Parse function."""
    parser = systemd_journal.SystemdJournalParser()
    storage_writer = self._ParseFile([
        'systemd', 'journal', 'system.journal'], parser)

    self.assertEqual(storage_writer.number_of_events, 2101)
    self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
    self.assertEqual(storage_writer.number_of_recovery_warnings, 0)

    events = list(storage_writer.GetEvents())

    expected_event_values = {
        'body': 'Started User Manager for UID 1000.',
        'date_time': '2017-01-27 09:40:55.913258',
        'data_type': 'systemd:journal',
        'hostname': 'test-VirtualBox',
        'pid': '1',
        'reporter': 'systemd'}

    self.CheckEventValues(storage_writer, events[0], expected_event_values)

    # Test an event with XZ compressed data.
    expected_event_values = {
        'body': 'a' * 692,
        'date_time': '2017-02-06 16:24:32.564585',
        'data_type': 'systemd:journal',
        'hostname': 'test-VirtualBox',
        'pid': '22921',
        'reporter': 'root'}

    self.CheckEventValues(storage_writer, events[2098], expected_event_values)

Exemple #5

Fichier : systemd_journal.py Projet : cshanahan/plaso

    def testParseDirty(self):
        """Tests the Parse function on a 'dirty' journal file."""
        storage_writer = self._CreateStorageWriter()
        parser_mediator = self._CreateParserMediator(storage_writer)
        parser = systemd_journal.SystemdJournalParser()

        path_segments = [
            'systemd', 'journal',
            '*****@*****.**'
        ]
        file_entry = self._GetTestFileEntry(path_segments)
        file_object = file_entry.GetFileObject()

        parser.ParseFileObject(parser_mediator, file_object)

        number_of_events = storage_writer.GetNumberOfAttributeContainers(
            'event')
        self.assertEqual(number_of_events, 2211)

        number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
            'extraction_warning')
        self.assertEqual(number_of_warnings, 1)

        number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
            'recovery_warning')
        self.assertEqual(number_of_warnings, 0)

        events = list(storage_writer.GetEvents())

        expected_event_values = {
            'body':
            ('Runtime journal (/run/log/journal/) is 1.2M, max 9.9M, 8.6M '
             'free.'),
            'date_time':
            '2016-10-24 13:20:01.063423',
            'data_type':
            'systemd:journal',
            'hostname':
            'test-VirtualBox',
            'pid':
            '569',
            'reporter':
            'systemd-journald'
        }

        self.CheckEventValues(storage_writer, events[0], expected_event_values)

        generator = storage_writer.GetAttributeContainers(
            warnings.ExtractionWarning.CONTAINER_TYPE)

        test_warnings = list(generator)
        test_warning = test_warnings[0]
        self.assertIsNotNone(test_warning)

        expected_message = (
            'Unable to parse journal entry at offset: 0x0041bfb0 with error: '
            'object offset should be after hash tables (0 < 2527472)')
        self.assertEqual(test_warning.message, expected_message)

Exemple #6

Fichier : systemd_journal.py Projet : cshanahan/plaso

    def testParseLZ4(self):
        """Tests the Parse function on a journal with LZ4 compressed events."""
        parser = systemd_journal.SystemdJournalParser()
        storage_writer = self._ParseFile(
            ['systemd', 'journal', 'system.journal.lz4'], parser)

        number_of_events = storage_writer.GetNumberOfAttributeContainers(
            'event')
        self.assertEqual(number_of_events, 85)

        number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
            'extraction_warning')
        self.assertEqual(number_of_warnings, 0)

        number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
            'recovery_warning')
        self.assertEqual(number_of_warnings, 0)

        events = list(storage_writer.GetEvents())

        expected_event_values = {
            'body': 'Reached target Paths.',
            'date_time': '2018-07-03 15:00:16.682340',
            'data_type': 'systemd:journal',
            'hostname': 'testlol',
            'pid': '822',
            'reporter': 'systemd'
        }

        self.CheckEventValues(storage_writer, events[0], expected_event_values)

        # Test an event with LZ4 compressed data.
        # The text used in the test message was triplicated to make it long enough
        # to trigger the LZ4 compression.
        # Source: https://github.com/systemd/systemd/issues/6237
        expected_body_parts = [' textual user names.']
        expected_body_parts.extend((
            '  Yes, as you found out 0day is not a valid username. I wonder which '
            'tool permitted you to create it in the first place. Note that not '
            'permitting numeric first characters is done on purpose: to avoid '
            'ambiguities between numeric UID and textual user names.') * 3)
        expected_body = ''.join(expected_body_parts)

        expected_event_values = {
            'body': expected_body,
            'date_time': '2018-07-03 15:19:04.667807',
            'data_type': 'systemd:journal',
            'hostname': 'testlol',
            'pid': '34757',
            'reporter': 'test'
        }

        self.CheckEventValues(storage_writer, events[84],
                              expected_event_values)

Exemple #7

    def testParseDirty(self):
        """Tests the Parse function on a 'dirty' journal file."""
        storage_writer = self._CreateStorageWriter()
        parser_mediator = self._CreateParserMediator(storage_writer)
        parser = systemd_journal.SystemdJournalParser()
        path_segments = [
            u'systemd', u'journal',
            u'*****@*****.**'
        ]
        file_entry = self._GetTestFileEntry(path_segments)
        file_object = file_entry.GetFileObject()

        with self.assertRaisesRegexp(
                errors.ParseError,
                ur'object offset should be after hash tables \([0-9]+ < [0-9]+\)'
        ):
            parser.ParseFileObject(parser_mediator, file_object)

Exemple #8

Fichier : systemd_journal.py Projet : no-sec/plaso

    def testParseDirty(self):
        """Tests the Parse function on a 'dirty' journal file."""
        storage_writer = self._CreateStorageWriter()
        parser_mediator = self._CreateParserMediator(storage_writer)
        parser = systemd_journal.SystemdJournalParser()
        path_segments = [
            'systemd', 'journal',
            '*****@*****.**'
        ]
        file_entry = self._GetTestFileEntry(path_segments)
        file_object = file_entry.GetFileObject()

        parser.ParseFileObject(parser_mediator, file_object)

        self.assertEqual(storage_writer.number_of_events, 2211)

        events = list(storage_writer.GetEvents())

        event = events[0]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            '2016-10-24 13:20:01.063423')

        self.assertEqual(event.timestamp, expected_timestamp)

        expected_message = (
            'test-VirtualBox [systemd-journald, pid: 569] Runtime journal '
            '(/run/log/journal/) is 1.2M, max 9.9M, 8.6M free.')
        expected_short_message = '{0:s}...'.format(expected_message[:77])
        self._TestGetMessageStrings(event, expected_message,
                                    expected_short_message)

        self.assertEqual(storage_writer.number_of_errors, 1)

        errors = list(storage_writer.GetErrors())
        error = errors[0]
        expected_error_message = (
            'Unable to complete parsing journal file: '
            'object offset should be after hash tables (4308912 < 2527472) at '
            'offset 0x0041bfb0')
        self.assertEqual(error.message, expected_error_message)

Exemple #9

    def testParseDirty(self):
        """Tests the Parse function on a 'dirty' journal file."""
        storage_writer = self._CreateStorageWriter()
        parser_mediator = self._CreateParserMediator(storage_writer)
        parser = systemd_journal.SystemdJournalParser()
        path_segments = [
            'systemd', 'journal',
            '*****@*****.**'
        ]
        file_entry = self._GetTestFileEntry(path_segments)
        file_object = file_entry.GetFileObject()

        parser.ParseFileObject(parser_mediator, file_object)

        self.assertEqual(storage_writer.number_of_warnings, 1)
        self.assertEqual(storage_writer.number_of_events, 2211)

        events = list(storage_writer.GetEvents())

        event = events[0]

        self.CheckTimestamp(event.timestamp, '2016-10-24 13:20:01.063423')

        event_data = self._GetEventDataOfEvent(storage_writer, event)

        expected_message = (
            'test-VirtualBox [systemd-journald, pid: 569] Runtime journal '
            '(/run/log/journal/) is 1.2M, max 9.9M, 8.6M free.')
        expected_short_message = '{0:s}...'.format(expected_message[:77])
        self._TestGetMessageStrings(event_data, expected_message,
                                    expected_short_message)

        self.assertEqual(storage_writer.number_of_warnings, 1)

        warnings = list(storage_writer.GetWarnings())
        warning = warnings[0]
        expected_warning_message = (
            'Unable to parse journal entry at offset: 0x0041bfb0 with error: '
            'object offset should be after hash tables (0 < 2527472)')
        self.assertEqual(warning.message, expected_warning_message)