def testParse(self): """Tests the Parse function.""" parser = systemd_journal.SystemdJournalParser() journal = self._ParseFile([u'systemd', u'journal', u'system.journal'], parser) self.assertEqual(len(journal.events), 2101) event = journal.events[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2017-01-27 09:40:55.913258') self.assertEqual(event.timestamp, expected_timestamp) expected_message = ( u'test-VirtualBox [systemd, pid: 1] Started User Manager for ' u'UID 1000.') self._TestGetMessageStrings(event, expected_message, expected_message) # This event uses XZ compressed data event = journal.events[2098] expected_timestamp = timelib.Timestamp.CopyFromString( u'2017-02-06 16:24:32.564585') self.assertEqual(event.timestamp, expected_timestamp) expected_message = u'test-VirtualBox [root, pid: 22921] {0:s}'.format( u'a' * 692) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParse(self): """Tests the Parse function.""" parser = systemd_journal.SystemdJournalParser() storage_writer = self._ParseFile( ['systemd', 'journal', 'system.journal'], parser) self.assertEqual(storage_writer.number_of_events, 2101) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2017-01-27 09:40:55.913258') self.assertEqual(event.timestamp, expected_timestamp) expected_message = ( 'test-VirtualBox [systemd, pid: 1] Started User Manager for ' 'UID 1000.') self._TestGetMessageStrings(event, expected_message, expected_message) # This event uses XZ compressed data event = events[2098] expected_timestamp = timelib.Timestamp.CopyFromString( '2017-02-06 16:24:32.564585') self.assertEqual(event.timestamp, expected_timestamp) expected_message = 'test-VirtualBox [root, pid: 22921] {0:s}'.format( 'a' * 692) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParseLZ4(self): """Tests the Parse function on a journal with LZ4 compressed events.""" parser = systemd_journal.SystemdJournalParser() storage_writer = self._ParseFile( ['systemd', 'journal', 'system.journal.lz4'], parser) self.assertEqual(storage_writer.number_of_events, 85) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2018-07-03 15:00:16.682340') expected_message = 'testlol [systemd, pid: 822] Reached target Paths.' self._TestGetMessageStrings(event, expected_message, expected_message) # This event uses LZ4 compressed data event = events[84] self.CheckTimestamp(event.timestamp, '2018-07-03 15:19:04.667807') # source: https://github.com/systemd/systemd/issues/6237 # The text used in the test message was triplicated to make it long enough # to trigger the LZ4 compression. expected_message = ('testlol [test, pid: 34757] textual user names.' + ( ' Yes, as you found out 0day is not a valid username. I wonder which ' 'tool permitted you to create it in the first place. Note that not ' 'permitting numeric first characters is done on purpose: to avoid ' 'ambiguities between numeric UID and textual user names.' * 3)) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParse(self): """Tests the Parse function.""" parser = systemd_journal.SystemdJournalParser() storage_writer = self._ParseFile([ 'systemd', 'journal', 'system.journal'], parser) self.assertEqual(storage_writer.number_of_events, 2101) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'body': 'Started User Manager for UID 1000.', 'date_time': '2017-01-27 09:40:55.913258', 'data_type': 'systemd:journal', 'hostname': 'test-VirtualBox', 'pid': '1', 'reporter': 'systemd'} self.CheckEventValues(storage_writer, events[0], expected_event_values) # Test an event with XZ compressed data. expected_event_values = { 'body': 'a' * 692, 'date_time': '2017-02-06 16:24:32.564585', 'data_type': 'systemd:journal', 'hostname': 'test-VirtualBox', 'pid': '22921', 'reporter': 'root'} self.CheckEventValues(storage_writer, events[2098], expected_event_values)
def testParseDirty(self): """Tests the Parse function on a 'dirty' journal file.""" storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer) parser = systemd_journal.SystemdJournalParser() path_segments = [ 'systemd', 'journal', '*****@*****.**' ] file_entry = self._GetTestFileEntry(path_segments) file_object = file_entry.GetFileObject() parser.ParseFileObject(parser_mediator, file_object) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 2211) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'body': ('Runtime journal (/run/log/journal/) is 1.2M, max 9.9M, 8.6M ' 'free.'), 'date_time': '2016-10-24 13:20:01.063423', 'data_type': 'systemd:journal', 'hostname': 'test-VirtualBox', 'pid': '569', 'reporter': 'systemd-journald' } self.CheckEventValues(storage_writer, events[0], expected_event_values) generator = storage_writer.GetAttributeContainers( warnings.ExtractionWarning.CONTAINER_TYPE) test_warnings = list(generator) test_warning = test_warnings[0] self.assertIsNotNone(test_warning) expected_message = ( 'Unable to parse journal entry at offset: 0x0041bfb0 with error: ' 'object offset should be after hash tables (0 < 2527472)') self.assertEqual(test_warning.message, expected_message)
def testParseLZ4(self): """Tests the Parse function on a journal with LZ4 compressed events.""" parser = systemd_journal.SystemdJournalParser() storage_writer = self._ParseFile( ['systemd', 'journal', 'system.journal.lz4'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 85) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'body': 'Reached target Paths.', 'date_time': '2018-07-03 15:00:16.682340', 'data_type': 'systemd:journal', 'hostname': 'testlol', 'pid': '822', 'reporter': 'systemd' } self.CheckEventValues(storage_writer, events[0], expected_event_values) # Test an event with LZ4 compressed data. # The text used in the test message was triplicated to make it long enough # to trigger the LZ4 compression. # Source: https://github.com/systemd/systemd/issues/6237 expected_body_parts = [' textual user names.'] expected_body_parts.extend(( ' Yes, as you found out 0day is not a valid username. I wonder which ' 'tool permitted you to create it in the first place. Note that not ' 'permitting numeric first characters is done on purpose: to avoid ' 'ambiguities between numeric UID and textual user names.') * 3) expected_body = ''.join(expected_body_parts) expected_event_values = { 'body': expected_body, 'date_time': '2018-07-03 15:19:04.667807', 'data_type': 'systemd:journal', 'hostname': 'testlol', 'pid': '34757', 'reporter': 'test' } self.CheckEventValues(storage_writer, events[84], expected_event_values)
def testParseDirty(self): """Tests the Parse function on a 'dirty' journal file.""" storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer) parser = systemd_journal.SystemdJournalParser() path_segments = [ u'systemd', u'journal', u'*****@*****.**' ] file_entry = self._GetTestFileEntry(path_segments) file_object = file_entry.GetFileObject() with self.assertRaisesRegexp( errors.ParseError, ur'object offset should be after hash tables \([0-9]+ < [0-9]+\)' ): parser.ParseFileObject(parser_mediator, file_object)
def testParseDirty(self): """Tests the Parse function on a 'dirty' journal file.""" storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer) parser = systemd_journal.SystemdJournalParser() path_segments = [ 'systemd', 'journal', '*****@*****.**' ] file_entry = self._GetTestFileEntry(path_segments) file_object = file_entry.GetFileObject() parser.ParseFileObject(parser_mediator, file_object) self.assertEqual(storage_writer.number_of_events, 2211) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2016-10-24 13:20:01.063423') self.assertEqual(event.timestamp, expected_timestamp) expected_message = ( 'test-VirtualBox [systemd-journald, pid: 569] Runtime journal ' '(/run/log/journal/) is 1.2M, max 9.9M, 8.6M free.') expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message) self.assertEqual(storage_writer.number_of_errors, 1) errors = list(storage_writer.GetErrors()) error = errors[0] expected_error_message = ( 'Unable to complete parsing journal file: ' 'object offset should be after hash tables (4308912 < 2527472) at ' 'offset 0x0041bfb0') self.assertEqual(error.message, expected_error_message)
def testParseDirty(self): """Tests the Parse function on a 'dirty' journal file.""" storage_writer = self._CreateStorageWriter() parser_mediator = self._CreateParserMediator(storage_writer) parser = systemd_journal.SystemdJournalParser() path_segments = [ 'systemd', 'journal', '*****@*****.**' ] file_entry = self._GetTestFileEntry(path_segments) file_object = file_entry.GetFileObject() parser.ParseFileObject(parser_mediator, file_object) self.assertEqual(storage_writer.number_of_warnings, 1) self.assertEqual(storage_writer.number_of_events, 2211) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2016-10-24 13:20:01.063423') event_data = self._GetEventDataOfEvent(storage_writer, event) expected_message = ( 'test-VirtualBox [systemd-journald, pid: 569] Runtime journal ' '(/run/log/journal/) is 1.2M, max 9.9M, 8.6M free.') expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) self.assertEqual(storage_writer.number_of_warnings, 1) warnings = list(storage_writer.GetWarnings()) warning = warnings[0] expected_warning_message = ( 'Unable to parse journal entry at offset: 0x0041bfb0 with error: ' 'object offset should be after hash tables (0 < 2527472)') self.assertEqual(warning.message, expected_warning_message)