def _SendContainerToStorage(file_entry, storage_queue_producer): """Read events from a event container and send them to storage. Args: file_entry: The file entry object (instance of dfvfs.FileEntry). storage_queue_producer: the storage queue producer (instance of EventObjectQueueProducer). """ stat_object = file_entry.GetStat() fs_type = filestat.StatEvents.GetFileSystemTypeFromFileEntry(file_entry) for event_object in filestat.StatEvents.GetEventsFromStat( stat_object, fs_type): # TODO: dfVFS refactor: move display name to output since the path # specification contains the full information. event_object.display_name = u'{0:s}:{1:s}'.format( file_entry.path_spec.type_indicator, file_entry.name) event_object.filename = file_entry.name event_object.pathspec = file_entry.path_spec event_object.parser = u'filestat' event_object.inode = utils.GetInodeValue(stat_object.ino) storage_queue_producer.ProduceEventObject(event_object)
def ProcessEvent( self, event_object, parser_name=None, plugin_name=None, file_entry=None, query=None): """Processes an event before it is emitted to the event queue. Args: event_object: the event object (instance of EventObject). parser_name: Optional name of the parser. The default is None. plugin_name: Optional name of the plugin. The default is None. file_entry: optional file entry object (instance of dfvfs.FileEntry). The default is None. query: Optional query string. The default is None. """ if not getattr(event_object, 'parser', None) and parser_name: event_object.parser = parser_name if not getattr(event_object, 'plugin', None) and plugin_name: event_object.plugin = plugin_name # TODO: deperecate text_prepend in favor of an event tag. if not getattr(event_object, 'text_prepend', None) and self._text_prepend: event_object.text_prepend = self._text_prepend display_name = None if file_entry: event_object.pathspec = file_entry.path_spec if not getattr(event_object, 'filename', None): event_object.filename = self.GetRelativePath(file_entry) if not display_name: # TODO: dfVFS refactor: move display name to output since the path # specification contains the full information. display_name = self.GetDisplayName(file_entry) stat_object = file_entry.GetStat() inode_number = getattr(stat_object, 'ino', None) if not hasattr(event_object, 'inode') and inode_number: # TODO: clean up the GetInodeValue function. event_object.inode = utils.GetInodeValue(inode_number) if not getattr(event_object, 'display_name', None) and display_name: event_object.display_name = display_name if not getattr(event_object, 'hostname', None) and self.hostname: event_object.hostname = self.hostname if not getattr(event_object, 'username', None): user_sid = getattr(event_object, 'user_sid', None) username = self._knowledge_base.GetUsernameByIdentifier(user_sid) if username: event_object.username = username if not getattr(event_object, 'query', None) and query: event_object.query = query
def _ParseEvent(self, event_object, file_entry, parser_name, stat_obj): """Adjust value of an extracted EventObject before storing it.""" # TODO: Make some more adjustments to the event object. # Need to apply time skew, and other information extracted from # the configuration of the tool. # TODO: deperecate text_prepend in favor of an event tag. if self._text_prepend: event_object.text_prepend = self._text_prepend file_path = getattr(file_entry.path_spec, 'location', file_entry.name) # If we are parsing a mount point we don't want to include the full # path to file's location here, we are only interested in the relative # path to the mount point. # TODO: Solve this differently, quite possibly inside dfVFS using mount # path spec. type_indicator = file_entry.path_spec.type_indicator if (type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS and self._mount_path): if self._mount_path: _, _, file_path = file_path.partition(self._mount_path) # TODO: dfVFS refactor: move display name to output since the path # specification contains the full information. event_object.display_name = u'{0:s}:{1:s}'.format( file_entry.path_spec.type_indicator, file_path) if not getattr(event_object, 'filename', None): event_object.filename = file_path event_object.pathspec = file_entry.path_spec event_object.parser = parser_name if hasattr(self._pre_obj, 'hostname'): event_object.hostname = self._pre_obj.hostname if not hasattr(event_object, 'inode') and hasattr(stat_obj, 'ino'): event_object.inode = utils.GetInodeValue(stat_obj.ino) # Set the username that is associated to the record. if getattr(event_object, 'user_sid', None) and self._user_mapping: username = self._user_mapping.get(event_object.user_sid, None) if username: event_object.username = username if not self._filter_object or self._filter_object.Matches( event_object): self._storage_queue_producer.ProduceEventObject(event_object) self._counter_of_extracted_events += 1
def ProcessEvent(self, event_object, parser_chain=None, file_entry=None, query=None): """Processes an event before it is emitted to the event queue. Args: event_object: the event object (instance of EventObject). parser_chain: Optional string containing the parsing chain up to this point. The default is None. file_entry: Optional file entry object (instance of dfvfs.FileEntry). The default is None, which will default to the current file entry set in the mediator. query: Optional query string. The default is None. """ if not getattr(event_object, u'parser', None) and parser_chain: event_object.parser = parser_chain # TODO: deprecate text_prepend in favor of an event tag. if not getattr(event_object, u'text_prepend', None) and self._text_prepend: event_object.text_prepend = self._text_prepend if file_entry is None: file_entry = self._file_entry display_name = None if file_entry: event_object.pathspec = file_entry.path_spec if not getattr(event_object, u'filename', None): path_spec = getattr(file_entry, u'path_spec', None) event_object.filename = self._GetRelativePath(path_spec) if not display_name: # TODO: dfVFS refactor: move display name to output since the path # specification contains the full information. display_name = self.GetDisplayName(file_entry) stat_object = file_entry.GetStat() inode_number = getattr(stat_object, u'ino', None) if not hasattr(event_object, u'inode') and inode_number: # TODO: clean up the GetInodeValue function. event_object.inode = utils.GetInodeValue(inode_number) if not getattr(event_object, u'display_name', None) and display_name: event_object.display_name = display_name if not getattr(event_object, u'hostname', None) and self.hostname: event_object.hostname = self.hostname if not getattr(event_object, u'username', None): user_sid = getattr(event_object, u'user_sid', None) username = self._knowledge_base.GetUsernameByIdentifier(user_sid) if username: event_object.username = username if not getattr(event_object, u'query', None) and query: event_object.query = query for attribute, value in self._extra_event_attributes.iteritems(): if hasattr(event_object, attribute): raise KeyError( u'Event already has a value for {0:s}'.format(attribute)) setattr(event_object, attribute, value)