def _LoadUserActivity(self, start_time, end_time, token): if data_store.RelationalDBReadEnabled(): for entry in data_store.REL_DB.ReadAPIAuditEntries( min_timestamp=start_time): yield entry.username, entry.timestamp else: for fd in audit.LegacyAuditLogsForTimespan( start_time=start_time - audit.AUDIT_ROLLOVER_TIME, end_time=end_time, token=token): for event in fd.GenerateItems(): yield event.user, event.timestamp
def _LoadUserActivity(self, start_time, end_time, token): if data_store.RelationalDBReadEnabled(): counts = data_store.REL_DB.CountAPIAuditEntriesByUserAndDay( min_timestamp=start_time, max_timestamp=end_time) for (username, day), count in iteritems(counts): yield username, day, count else: for fd in audit.LegacyAuditLogsForTimespan( start_time=start_time - audit.AUDIT_ROLLOVER_TIME, end_time=end_time, token=token): for event in fd.GenerateItems(): yield event.user, event.timestamp, 1
def GetAuditLogEntries(offset, now, token): """Return all audit log entries between now-offset and now. Args: offset: rdfvalue.Duration how far back to look in time now: rdfvalue.RDFDatetime for current time token: GRR access token Yields: AuditEvents created during the time range """ start_time = now - offset - audit.AUDIT_ROLLOVER_TIME for fd in audit.LegacyAuditLogsForTimespan(start_time, now, token): for event in fd.GenerateItems(): if now - offset < event.timestamp < now: yield event
def _LoadUserActivity(self, token): week_duration = rdfvalue.Duration("7d") now = rdfvalue.RDFDatetime.Now() start_time = now - week_duration * self.WEEKS if data_store.RelationalDBReadEnabled(): for entry in data_store.REL_DB.ReadAPIAuditEntries( min_timestamp=start_time): yield entry.username, entry.timestamp else: for fd in audit.LegacyAuditLogsForTimespan( start_time=start_time - audit.AUDIT_ROLLOVER_TIME, end_time=now, token=token): for event in fd.GenerateItems(): yield event.user, event.timestamp
def testAuditLogsForTimespan(self): two_weeks_ago = rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("2w") with test_lib.FakeTime(two_weeks_ago): AddFakeAuditLog("Fake outdated audit log.", token=self.token) AddFakeAuditLog("Fake audit description foo.", token=self.token) AddFakeAuditLog("Fake audit description bar.", token=self.token) audit_events = { ev.description: ev for fd in audit.LegacyAuditLogsForTimespan( rdfvalue.RDFDatetime.Now() - rdfvalue.Duration("1d"), rdfvalue.RDFDatetime.Now(), token=self.token) for ev in fd.GenerateItems() } self.assertIn("Fake audit description foo.", audit_events) self.assertIn("Fake audit description bar.", audit_events) self.assertNotIn("Fake outdated audit log.", audit_events)
def GetReportData(self, get_report_args, token): """Filter the last week of user actions.""" ret = rdf_report_plugins.ApiReportData( representation_type=rdf_report_plugins.ApiReportData. RepresentationType.STACK_CHART) try: user_activity = {} week_duration = rdfvalue.Duration("7d") offset = rdfvalue.Duration("%dw" % self.WEEKS) now = rdfvalue.RDFDatetime.Now() start_time = now - offset - audit.AUDIT_ROLLOVER_TIME try: for fd in audit.LegacyAuditLogsForTimespan( start_time, now, token): for event in fd.GenerateItems(): for week in range(self.__class__.WEEKS): start = now - week * week_duration if start < event.timestamp < (start + week_duration): weekly_activity = user_activity.setdefault( event.user, [[x, 0] for x in range( -self.__class__.WEEKS, 0, 1)]) weekly_activity[-week][1] += 1 except ValueError: # Couldn't find any logs.. pass ret.stack_chart.data = sorted( (rdf_report_plugins.ApiReportDataSeries2D( label=user, points=(rdf_report_plugins.ApiReportDataPoint2D(x=x, y=y) for x, y in data)) for user, data in iteritems(user_activity) if user not in aff4_users.GRRUser.SYSTEM_USERS), key=lambda series: series.label) except IOError: pass return ret
def GetAuditLogEntries(offset, now, token): """Return all audit log entries between now-offset and now. Args: offset: rdfvalue.Duration how far back to look in time now: rdfvalue.RDFDatetime for current time token: GRR access token Raises: ValueError: No logs were found. Yields: AuditEvents created during the time range """ start_time = now - offset - audit.AUDIT_ROLLOVER_TIME logs_found = False for fd in audit.LegacyAuditLogsForTimespan(start_time, now, token): logs_found = True for event in fd.GenerateItems(): if now - offset < event.timestamp < now: yield event if not logs_found: raise ValueError("Couldn't find any logs in aff4:/audit/logs " "between %s and %s" % (start_time, now))