filename = os.path.basename(filename.replace("\\", "/"))
dbh.execute(
"insert into EventMessageSources set filename=%r, source=%r",
(filename, appname))
print "Added source '%s' as file %r" % (appname, filename)
except (KeyError, DB.DBError):
pass
elif config.mode == 'event':
import FileFormats.EVTLog as EVTLog
dbh = DB.DBO()
for filename in config.args:
fd = open(filename)
b = Buffer(fd=fd)
header = EVTLog.Header(b)
b = b[header.size():]
while 1:
try:
event = EVTLog.Event(b)
source = event['Source'].get_value()
machine = event['Machine'].get_value()
## Find the filename for this source:
dbh.execute(
"select filename from EventMessageSources where source=%r",
source)
row = dbh.fetch()
if row:
def get_fields(self):
if self.datafile == None:
raise IOError("Datafile is not set!!!")
print "Datafile %s" % (self.datafile, )
for file in self.datafile:
## open the file as a url:
fd = IO.open_URL(file)
dbh = DB.DBO()
buffer = Buffer(fd=fd)
header = EVTLog.Header(buffer)
buffer = buffer[header.size():]
while 1:
try:
event = EVTLog.Event(buffer)
source = event['Source'].get_value()
machine = event['Machine'].get_value()
## Find the filename for this source:
dbh.execute(
"select filename from EventMessageSources where source=%r",
source)
row = dbh.fetch()
if row:
dbh.execute(
"select message from EventMessages where filename=%r and message_id=%r",
(row['filename'], event['EventID'].get_value()))
row = dbh.fetch()
if row:
message = EVTLog.format_message(
row['message'], event['Strings'])
## Message not found
else:
message = "Unable to find message format string (Maybe file was not loaded with --mode=dll?). Parameters are: %s" % event[
'Strings']
## Filename not found for this source:
else:
message = "Unable to locate file for source %s. Maybe you need to run EventLogTool with the --reg flag on the SYSTEM registry hive? Parameters are: %s " % (
source, event['Strings'])
buffer = buffer[event.size():]
result = dict(
_time="from_unixtime('%s')" %
event['TimeGenerated'].get_value(),
message=message,
event=event['EventID'].get_value(),
Source=event['Source'].get_value(),
record=event['RecordNumber'].get_value(),
)
try:
result['arg1'] = event['Strings'][0].get_value()
except:
pass
try:
result['arg2'] = event['Strings'][1].get_value()
except:
pass
try:
result['arg3'] = event['Strings'][2].get_value()
except:
pass
yield result
except IOError:
break
