예제 #1
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    print('%s, %d, "%s", "%s"' % (record.time_generated().isoformat("T") + "Z",
                                                  record.event_id(), record.source(),
                                                  str(record.strings())))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    # MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
                    print("0|EVT[%s]: event %d %s|0|0|0|0|0|%s|%s|%s|%s" %
                          (record.source(), record.event_id(),
                           str(record.strings()),
                           record.time_generated().strftime('%s'),
                           record.time_generated().strftime('%s'),
                           record.time_generated().strftime('%s'),
                           record.time_generated().strftime('%s')))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(mmap.mmap(f.fileno(), 0,
                                          access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    # MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
                    print("0|EVT[%s]: event %d %s|0|0|0|0|0|%s|%s|%s|%s" % (record.source(),
                                                                            record.event_id(),
                                                                            str(record.strings()),
                                                                            record.time_generated().strftime('%s'),
                                                                            record.time_generated().strftime('%s'),
                                                                            record.time_generated().strftime('%s'),
                                                                            record.time_generated().strftime('%s')))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())
예제 #4
0
def main():
    with open(sys.argv[1], 'r') as f:
        with contextlib.closing(
                mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)) as buf:
            offset = 0x8
            offset = buf.find("LfLe", offset)  # skip header
            while offset != -1:
                try:
                    record = Record(buf, offset - 0x4)
                except OverrunBufferException:
                    break
                try:
                    print('%s, %d, "%s", "%s"' %
                          (record.time_generated().isoformat("T") + "Z",
                           record.event_id(), record.source(),
                           str(record.strings())))
                except UnicodeDecodeError:
                    pass
                except UnicodeEncodeError:
                    pass
                except OverrunBufferException:
                    pass
                if record.length() > 0x100:
                    offset = buf.find("LfLe", offset + 1)
                else:
                    offset = buf.find("LfLe", offset + record.length())