def testParseTruncated(self): """Tests the Parse function on a truncated file.""" parser = winevtx.WinEvtxParser() # Be aware of System2.evtx file, it was manually shortened so it probably # contains invalid log at the end. storage_writer = self._ParseFile(['System2.evtx'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 388) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'windows:evtx:record', 'event_identifier': 4624 } self.CheckEventValues(storage_writer, events[356], expected_event_values) expected_event_values = { 'data_type': 'windows:evtx:record', 'event_identifier': 4648 } self.CheckEventValues(storage_writer, events[360], expected_event_values)
def testParseTruncated(self): """Tests the Parse function on a truncated file.""" parser = winevtx.WinEvtxParser() # Be aware of System2.evtx file, it was manually shortened so it probably # contains invalid log at the end. storage_writer = self._ParseFile(['System2.evtx'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 388) events = list(storage_writer.GetEvents()) event = events[356] event_data = self._GetEventDataOfEvent(storage_writer, event) expected_strings_parsed = [('source_user_id', 'S-1-5-18'), ('source_user_name', 'GREENDALEGOLD$'), ('target_machine_ip', '-'), ('target_machine_name', None), ('target_user_id', 'S-1-5-18'), ('target_user_name', 'SYSTEM')] strings_parsed = sorted(event_data.strings_parsed.items()) self.assertEqual(strings_parsed, expected_strings_parsed) self.assertEqual(event_data.event_identifier, 4624) event = events[360] event_data = self._GetEventDataOfEvent(storage_writer, event) expected_strings_parsed = [ ('source_user_id', 'S-1-5-21-1539974973-2753941131-3212641383-1000'), ('source_user_name', 'gold_administrator'), ('target_machine_ip', '-'), ('target_machine_name', 'DC1.internal.greendale.edu'), ('target_user_name', 'administrator') ] strings_parsed = sorted(event_data.strings_parsed.items()) self.assertEqual(strings_parsed, expected_strings_parsed) self.assertEqual(event_data.event_identifier, 4648)
def testParseTruncated(self): """Tests the Parse function on a truncated file.""" parser = winevtx.WinEvtxParser() # Be aware of System2.evtx file, it was manually shortened so it probably # contains invalid log at the end. storage_writer = self._ParseFile(['System2.evtx'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 388) events = list(storage_writer.GetEvents()) event = events[356] event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.event_identifier, 4624) event = events[360] event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.event_identifier, 4648)
def testParse(self): """Tests the Parse function.""" parser_object = winevtx.WinEvtxParser() test_file = self._GetTestFilePath([u'System.evtx']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # Windows Event Viewer Log (EVTX) information: # Version : 3.1 # Number of records : 1601 # Number of recovered records : 0 # Log type : System self.assertEqual(len(event_objects), 1601) # Event number : 12049 # Written time : Mar 14, 2012 04:17:43.354562700 UTC # Event level : Information (4) # Computer name : WKS-WIN764BITB.shieldbase.local # Provider identifier : {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} # Source name : Microsoft-Windows-Eventlog # Event identifier : 0x00000069 (105) # Number of strings : 2 # String: 1 : System # String: 2 : C:\Windows\System32\Winevt\Logs\ # : Archive-System-2012-03-14-04-17-39-932.evtx event_object = event_objects[0] self.assertEqual(event_object.record_number, 12049) expected_computer_name = u'WKS-WIN764BITB.shieldbase.local' self.assertEqual(event_object.computer_name, expected_computer_name) self.assertEqual(event_object.source_name, u'Microsoft-Windows-Eventlog') self.assertEqual(event_object.event_level, 4) self.assertEqual(event_object.event_identifier, 105) self.assertEqual(event_object.strings[0], u'System') expected_string = (u'C:\\Windows\\System32\\Winevt\\Logs\\' u'Archive-System-2012-03-14-04-17-39-932.evtx') self.assertEqual(event_object.strings[1], expected_string) event_object = event_objects[1] expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-03-14 04:17:38.276340') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.timestamp_desc, eventdata.EventTimestamp.WRITTEN_TIME) expected_xml_string = ( u'<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/' u'event">\n' u' <System>\n' u' <Provider Name="Service Control Manager" ' u'Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" ' u'EventSourceName="Service Control Manager"/>\n' u' <EventID Qualifiers="16384">7036</EventID>\n' u' <Version>0</Version>\n' u' <Level>4</Level>\n' u' <Task>0</Task>\n' u' <Opcode>0</Opcode>\n' u' <Keywords>0x8080000000000000</Keywords>\n' u' <TimeCreated SystemTime="2012-03-14T04:17:38.276340200Z"/>\n' u' <EventRecordID>12050</EventRecordID>\n' u' <Correlation/>\n' u' <Execution ProcessID="548" ThreadID="1340"/>\n' u' <Channel>System</Channel>\n' u' <Computer>WKS-WIN764BITB.shieldbase.local</Computer>\n' u' <Security/>\n' u' </System>\n' u' <EventData>\n' u' <Data Name="param1">Windows Modules Installer</Data>\n' u' <Data Name="param2">stopped</Data>\n' u' <Binary>540072007500730074006500640049006E007300740061006C006C00' u'650072002F0031000000</Binary>\n' u' </EventData>\n' u'</Event>\n') self.assertEqual(event_object.xml_string, expected_xml_string) expected_msg = ( u'[7036 / 0x1b7c] ' u'Record Number: 12050 ' u'Event Level: 4 ' u'Source Name: Service Control Manager ' u'Computer Name: WKS-WIN764BITB.shieldbase.local ' u'Message string: The Windows Modules Installer service entered ' u'the stopped state. ' u'Strings: [\'Windows Modules Installer\', \'stopped\', ' u'\'540072007500730074006500640049006E00' u'7300740061006C006C00650072002F0031000000\']') expected_msg_short = ( u'[7036 / 0x1b7c] ' u'Strings: [\'Windows Modules Installer\', \'stopped\', ' u'\'5400720075...') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse(self): """Tests the Parse function.""" parser = winevtx.WinEvtxParser() storage_writer = self._ParseFile(['System.evtx'], parser) self.assertEqual(storage_writer.number_of_errors, 0) # Windows Event Viewer Log (EVTX) information: # Version : 3.1 # Number of records : 1601 # Number of recovered records : 0 # Log type : System self.assertEqual(storage_writer.number_of_events, 1601) events = list(storage_writer.GetEvents()) # Event number : 12049 # Written time : Mar 14, 2012 04:17:43.354562700 UTC # Event level : Information (4) # Computer name : WKS-WIN764BITB.shieldbase.local # Provider identifier : {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} # Source name : Microsoft-Windows-Eventlog # Event identifier : 0x00000069 (105) # Number of strings : 2 # String: 1 : System # String: 2 : C:\Windows\System32\Winevt\Logs\ # : Archive-System-2012-03-14-04-17-39-932.evtx event = events[0] self.assertEqual(event.record_number, 12049) expected_computer_name = 'WKS-WIN764BITB.shieldbase.local' self.assertEqual(event.computer_name, expected_computer_name) self.assertEqual(event.source_name, 'Microsoft-Windows-Eventlog') self.assertEqual(event.event_level, 4) self.assertEqual(event.event_identifier, 105) self.assertEqual(event.strings[0], 'System') expected_string = ('C:\\Windows\\System32\\Winevt\\Logs\\' 'Archive-System-2012-03-14-04-17-39-932.evtx') self.assertEqual(event.strings[1], expected_string) event = events[1] self.CheckTimestamp(event.timestamp, '2012-03-14 04:17:38.276340') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_WRITTEN) expected_xml_string = ( '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/' 'event">\n' ' <System>\n' ' <Provider Name="Service Control Manager" ' 'Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" ' 'EventSourceName="Service Control Manager"/>\n' ' <EventID Qualifiers="16384">7036</EventID>\n' ' <Version>0</Version>\n' ' <Level>4</Level>\n' ' <Task>0</Task>\n' ' <Opcode>0</Opcode>\n' ' <Keywords>0x8080000000000000</Keywords>\n' ' <TimeCreated SystemTime="2012-03-14T04:17:38.276340200Z"/>\n' ' <EventRecordID>12050</EventRecordID>\n' ' <Correlation/>\n' ' <Execution ProcessID="548" ThreadID="1340"/>\n' ' <Channel>System</Channel>\n' ' <Computer>WKS-WIN764BITB.shieldbase.local</Computer>\n' ' <Security/>\n' ' </System>\n' ' <EventData>\n' ' <Data Name="param1">Windows Modules Installer</Data>\n' ' <Data Name="param2">stopped</Data>\n' ' <Binary>540072007500730074006500640049006E007300740061006C006C00' '650072002F0031000000</Binary>\n' ' </EventData>\n' '</Event>\n') self.assertEqual(event.xml_string, expected_xml_string) expected_message = ( '[7036 / 0x1b7c] ' 'Source Name: Service Control Manager ' 'Message string: The Windows Modules Installer service entered ' 'the stopped state. ' 'Strings: [\'Windows Modules Installer\', \'stopped\', ' '\'540072007500730074006500640049006E00' '7300740061006C006C00650072002F0031000000\'] ' 'Computer Name: WKS-WIN764BITB.shieldbase.local ' 'Record Number: 12050 ' 'Event Level: 4') expected_short_message = ( '[7036 / 0x1b7c] ' 'Strings: [\'Windows Modules Installer\', \'stopped\', ' '\'5400720075...') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = winevtx.WinEvtxParser()
def testParse(self): """Tests the Parse function.""" parser = winevtx.WinEvtxParser() storage_writer = self._ParseFile(['System.evtx'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) # Windows Event Viewer Log (EVTX) information: # Version : 3.1 # Number of records : 1601 # Number of recovered records : 0 # Log type : System self.assertEqual(storage_writer.number_of_events, 3202) events = list(storage_writer.GetEvents()) # Event number : 12049 # Written time : Mar 14, 2012 04:17:43.354562700 UTC # Event level : Information (4) # Computer name : WKS-WIN764BITB.shieldbase.local # Provider identifier : {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148} # Source name : Microsoft-Windows-Eventlog # Event identifier : 0x00000069 (105) # Number of strings : 2 # String: 1 : System # String: 2 : C:\Windows\System32\Winevt\Logs\ # : Archive-System-2012-03-14-04-17-39-932.evtx expected_string2 = ('C:\\Windows\\System32\\Winevt\\Logs\\' 'Archive-System-2012-03-14-04-17-39-932.evtx') expected_event_values = { 'computer_name': 'WKS-WIN764BITB.shieldbase.local', 'data_type': 'windows:evtx:record', 'event_identifier': 105, 'event_level': 4, 'record_number': 12049, 'source_name': 'Microsoft-Windows-Eventlog', 'strings': ['System', expected_string2] } self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_xml_string = ( '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/' 'event">\n' ' <System>\n' ' <Provider Name="Service Control Manager" ' 'Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" ' 'EventSourceName="Service Control Manager"/>\n' ' <EventID Qualifiers="16384">7036</EventID>\n' ' <Version>0</Version>\n' ' <Level>4</Level>\n' ' <Task>0</Task>\n' ' <Opcode>0</Opcode>\n' ' <Keywords>0x8080000000000000</Keywords>\n' ' <TimeCreated SystemTime="2012-03-14T04:17:38.276340200Z"/>\n' ' <EventRecordID>12050</EventRecordID>\n' ' <Correlation/>\n' ' <Execution ProcessID="548" ThreadID="1340"/>\n' ' <Channel>System</Channel>\n' ' <Computer>WKS-WIN764BITB.shieldbase.local</Computer>\n' ' <Security/>\n' ' </System>\n' ' <EventData>\n' ' <Data Name="param1">Windows Modules Installer</Data>\n' ' <Data Name="param2">stopped</Data>\n' ' <Binary>540072007500730074006500640049006E007300740061006C006C00' '650072002F0031000000</Binary>\n' ' </EventData>\n' '</Event>\n') expected_event_values = { 'computer_name': 'WKS-WIN764BITB.shieldbase.local', 'data_type': 'windows:evtx:record', 'event_level': 4, 'record_number': 12050, 'source_name': 'Service Control Manager', 'strings': [ 'Windows Modules Installer', 'stopped', ('540072007500730074006500640049006E007300740061006C006C00650072002F' '0031000000') ], 'timestamp': '2012-03-14 04:17:38.276340', 'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN, 'xml_string': expected_xml_string } self.CheckEventValues(storage_writer, events[2], expected_event_values)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = winevtx.WinEvtxParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() self._parser = winevtx.WinEvtxParser(pre_obj, None)