def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
formatters_manager.FormattersManager.RegisterFormatter(
TestEventFormatter)
output_mediator = self._CreateOutputMediator()
output_writer = cli_test_lib.TestOutputWriter()
output_module = dynamic.DynamicOutputModule(output_mediator)
output_module.SetFields([
'date', 'time', 'timezone', 'macb', 'source', 'sourcetype', 'type',
'user', 'host', 'message_short', 'message', 'filename', 'inode',
'notes', 'format', 'extra'
])
output_module.SetOutputWriter(output_writer)
output_module.WriteHeader()
expected_header = (
'date,time,timezone,macb,source,sourcetype,type,user,host,'
'message_short,message,filename,inode,notes,format,extra\n')
header = output_writer.ReadOutput()
self.assertEqual(header, expected_header)
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
output_module.WriteEventBody(event, event_data, None)
expected_event_body = (
'2012-06-27,18:17:01,UTC,..C.,LOG,Syslog,Metadata Modification Time,-,'
'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session '
'closed for user root),Reporter <CRON> PID: 8442 '
'(pam_unix(cron:session): session closed for user root),log/syslog.1'
',-,-,-,-\n')
event_body = output_writer.ReadOutput()
self.assertEqual(event_body, expected_event_body)
output_mediator = self._CreateOutputMediator()
output_writer = cli_test_lib.TestOutputWriter()
output_module = dynamic.DynamicOutputModule(output_mediator)
output_module.SetFields(
['datetime', 'nonsense', 'hostname', 'message'])
output_module.SetOutputWriter(output_writer)
expected_header = 'datetime,nonsense,hostname,message\n'
output_module.WriteHeader()
header = output_writer.ReadOutput()
self.assertEqual(header, expected_header)
expected_event_body = (
'2012-06-27T18:17:01+00:00,-,ubuntu,Reporter <CRON> PID: 8442'
' (pam_unix(cron:session): session closed for user root)\n')
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
output_module.WriteEventBody(event, event_data, None)
event_body = output_writer.ReadOutput()
self.assertEqual(event_body, expected_event_body)
formatters_manager.FormattersManager.DeregisterFormatter(
TestEventFormatter)
def testFormatDate(self):
"""Tests the _FormatDate function."""
output_mediator = self._CreateOutputMediator()
formatting_helper = dynamic.DynamicFieldFormattingHelper(
output_mediator)
# Test with event.date_time
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '2012-06-27')
output_mediator.SetTimeZone('Australia/Sydney')
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '2012-06-28')
output_mediator.SetTimeZone('UTC')
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[1]))
event.date_time._time_zone_offset = 600
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '2012-06-27')
# Test with event.is_local_time
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event.timestamp += 600 * 60 * 1000000
event.date_time.is_local_time = True
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '2012-06-28')
# Test with event.timestamp
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event.date_time = None
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '2012-06-27')
event.timestamp = 0
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '0000-00-00')
event.timestamp = -9223372036854775808
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '0000-00-00')
def testFormatTime(self):
"""Tests the _FormatTime function."""
output_mediator = self._CreateOutputMediator()
test_helper = formatting_helper.FieldFormattingHelper(output_mediator)
# Test with event.date_time
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '18:17:01')
output_mediator.SetTimeZone('Europe/Amsterdam')
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '20:17:01')
output_mediator.SetTimeZone('UTC')
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[1]))
event.date_time._time_zone_offset = 120
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '18:17:01')
# Test with event.is_local_time
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event.timestamp -= 120 * 60 * 1000000
event.date_time.is_local_time = True
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '16:17:01')
# Test with event.timestamp
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event.date_time = None
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '18:17:01')
event.timestamp = 0
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '--:--:--')
event.timestamp = -9223372036854775808
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '--:--:--')
def testPushEvents(self):
"""Tests the PushEvents function."""
event_heap = event_heaps.EventHeap()
self.assertEqual(len(event_heap._heap), 0)
event1, _ = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
event2, _ = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[1])
event_heap.PushEvents([event1, event2])
self.assertEqual(len(event_heap._heap), 2)
def testFormatTime(self):
"""Tests the _FormatTime function."""
output_mediator = self._CreateOutputMediator()
test_helper = formatting_helper.FieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
# Test with event.date_time
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '18:17:01')
# Test with event.timestamp
event.date_time = None
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '18:17:01')
event.timestamp = 0
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '--:--:--')
event.timestamp = -9223372036854775808
time_string = test_helper._FormatTime(event, event_data,
event_data_stream)
self.assertEqual(time_string, '--:--:--')
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
formatters_manager.FormattersManager.RegisterFormatter(
formatters_test_lib.TestEventFormatter)
try:
self._output_module.WriteEventBody(event, event_data,
event_data_stream,
event_data_stream)
finally:
formatters_manager.FormattersManager.DeregisterFormatter(
formatters_test_lib.TestEventFormatter)
expected_event_body = (
'1340821021|FILE|ubuntu|root|2012-06-27T18:17:01+00:00; Unknown Time; '
'Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
'session closed for user root)'
'|UTC|File: OS: /var/log/syslog.1 inode: 12345678\n')
event_body = self._output_writer.ReadOutput()
self.assertEqual(event_body, expected_event_body)
self.assertEqual(event_body.count('|'), 6)
def testGetMACBRepresentation(self):
"""Tests the GetMACBRepresentation function."""
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
macb_representation = self._output_mediator.GetMACBRepresentation(
event, event_data)
self.assertEqual(macb_representation, '..C.')
def testGetOutputValues(self):
"""Tests the _GetOutputValues function."""
formatters_manager.FormattersManager.RegisterFormatter(
L2TTestEventFormatter)
expected_output_values = [
'06/27/2012', '18:17:01', 'UTC', '....', 'LOG', 'Syslog', '-', '-',
'ubuntu',
('Reporter <CRON> PID: 8442 (pam_unix(cron:session): session closed '
'for user root)'),
('Reporter <CRON> PID: 8442 (pam_unix(cron:session): session closed '
'for user root)'), '2', 'log/syslog.1', '-', '-', '-',
'a_binary_field: binary; my_number: 123; some_additional_foo: True'
]
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
output_values = self._formatter._GetOutputValues(
event, event_data, None)
self.assertEqual(len(output_values), 17)
self.assertEqual(output_values, expected_output_values)
event.timestamp = -9223372036854775808
output_values = self._formatter._GetOutputValues(
event, event_data, None)
self.assertEqual(len(output_values), 17)
expected_output_values[0] = '00/00/0000'
expected_output_values[1] = '--:--:--'
self.assertEqual(output_values, expected_output_values)
formatters_manager.FormattersManager.DeregisterFormatter(
L2TTestEventFormatter)
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
test_file_object = io.StringIO()
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetTestFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
output_module = l2t_csv.L2TCSVOutputModule(output_mediator)
output_module._file_object = test_file_object
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event_tag = events.EventTag()
event_tag.AddLabels(['Malware', 'Printed'])
output_module.WriteEventBody(
event, event_data, event_data_stream, event_tag)
expected_event_body = (
'06/27/2012,18:17:01,UTC,M...,FILE,Test log file,Content Modification '
'Time,-,ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
'session closed for user root),Reporter <CRON> PID: 8442 '
'(pam_unix(cron:session): session closed for user root),'
'2,FAKE:log/syslog.1,-,Malware Printed,test_parser,a_binary_field: '
'binary; my_number: 123; some_additional_foo: True\n')
event_body = test_file_object.getvalue()
self.assertEqual(event_body, expected_event_body)
# Ensure that the only commas returned are the 16 delimiters.
self.assertEqual(event_body.count(','), 16)
def testInsertEvent(self):
"""Tests the _InsertEvent function."""
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetDataFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
output_module = TestElasticsearchOutputModule(output_mediator)
output_module._Connect()
output_module._CreateIndexIfNotExists('test', {})
self.assertEqual(len(output_module._event_documents), 0)
self.assertEqual(output_module._number_of_buffered_events, 0)
output_module._InsertEvent(event, event_data, event_data_stream, None)
self.assertEqual(len(output_module._event_documents), 2)
self.assertEqual(output_module._number_of_buffered_events, 1)
output_module._InsertEvent(event, event_data, event_data_stream, None)
self.assertEqual(len(output_module._event_documents), 4)
self.assertEqual(output_module._number_of_buffered_events, 2)
output_module._FlushEvents()
self.assertEqual(len(output_module._event_documents), 0)
self.assertEqual(output_module._number_of_buffered_events, 0)
def testInsertEvent(self):
"""Tests the _InsertEvent function."""
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
output_mediator = self._CreateOutputMediator()
output_module = TestElasticsearchOutputModule(output_mediator)
output_module._Connect()
output_module._CreateIndexIfNotExists('test', {})
self.assertEqual(len(output_module._event_documents), 0)
self.assertEqual(output_module._number_of_buffered_events, 0)
output_module._InsertEvent(event, event_data, None)
self.assertEqual(len(output_module._event_documents), 2)
self.assertEqual(output_module._number_of_buffered_events, 1)
output_module._InsertEvent(event, event_data, None)
self.assertEqual(len(output_module._event_documents), 4)
self.assertEqual(output_module._number_of_buffered_events, 2)
output_module._FlushEvents()
self.assertEqual(len(output_module._event_documents), 0)
self.assertEqual(output_module._number_of_buffered_events, 0)
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
test_file_object = io.StringIO()
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetTestFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
output_module = tln.L2TTLNOutputModule(output_mediator)
output_module._file_object = test_file_object
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
output_module.WriteEventBody(
event, event_data, event_data_stream, event_data_stream)
expected_event_body = (
'1340821021|FILE|ubuntu|root|2012-06-27T18:17:01.000000+00:00; '
'Unknown Time; '
'Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
'session closed for user root)'
'|UTC|File: OS: /var/log/syslog.1 inode: 12345678\n')
event_body = test_file_object.getvalue()
self.assertEqual(event_body, expected_event_body)
self.assertEqual(event_body.count('|'), 6)
def testFormatDate(self):
"""Tests the _FormatDate function."""
output_mediator = self._CreateOutputMediator()
formatting_helper = dynamic.DynamicFieldFormattingHelper(
output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
# Test with event.date_time
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '2012-06-27')
# Test with event.timestamp
event.date_time = None
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '2012-06-27')
event.timestamp = 0
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '0000-00-00')
event.timestamp = -9223372036854775808
date_string = formatting_helper._FormatDate(event, event_data,
event_data_stream)
self.assertEqual(date_string, '0000-00-00')
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
formatters_manager.FormattersManager.RegisterFormatter(
L2TTestEventFormatter)
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
event_tag = events.EventTag()
event_tag.AddLabels(['Malware', 'Printed'])
self._formatter.WriteEventBody(event, event_data, event_tag)
expected_event_body = (
'06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,'
'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session '
'closed for user root),Reporter <CRON> PID: 8442 '
'(pam_unix(cron:session): session closed for user root),'
'2,log/syslog.1,-,Malware Printed,'
'-,a_binary_field: binary; my_number: 123; some_additional_foo: True\n'
)
event_body = self._output_writer.ReadOutput()
self.assertEqual(event_body, expected_event_body)
# Ensure that the only commas returned are the 16 delimiters.
self.assertEqual(event_body.count(','), 16)
formatters_manager.FormattersManager.DeregisterFormatter(
L2TTestEventFormatter)
def testGetUsername(self):
"""Tests the GetUsername function."""
output_mediator = mediator.OutputMediator(self._knowledge_base, None)
_, event_data, _ = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
username = output_mediator.GetUsername(event_data)
self.assertEqual(username, 'root')
def testFormatMACB(self):
"""Tests the _FormatMACB function."""
output_mediator = self._CreateOutputMediator()
test_helper = formatting_helper.FieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
macb_string = test_helper._FormatMACB(event, event_data, event_data_stream)
self.assertEqual(macb_string, '..C.')
def testMatches(self):
"""Tests the Matches function."""
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
filter_object = filters.IdentityFilter()
result = filter_object.Matches(event, event_data, None)
self.assertTrue(result)
def testGetMACBRepresentation(self):
"""Tests the GetMACBRepresentation function."""
output_mediator = mediator.OutputMediator(self._knowledge_base, None)
event, event_data, _ = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
macb_representation = output_mediator.GetMACBRepresentation(
event, event_data)
self.assertEqual(macb_representation, '..C.')
def testFormatInode(self):
"""Tests the _FormatInode function."""
output_mediator = self._CreateOutputMediator()
dynamic_fields_helper = dynamic.DynamicFieldsHelper(output_mediator)
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
inode_string = dynamic_fields_helper._FormatInode(event, event_data)
self.assertEqual(inode_string, '-')
def testGetSanitizedEventValues(self):
"""Tests the _GetSanitizedEventValues function."""
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetDataFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
output_module = TestElasticsearchOutputModule(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event_tag = events.EventTag()
event_tag.AddLabel('Test')
event_values = output_module._GetSanitizedEventValues(
event, event_data, event_data_stream, event_tag)
expected_event_values = {
'a_binary_field':
'binary',
'data_type':
'syslog:line',
'datetime':
'2012-06-27T18:17:01.000000Z',
'display_name':
'FAKE:log/syslog.1',
'filename':
'log/syslog.1',
'hostname':
'ubuntu',
'message':
'[',
'my_number':
123,
'path_spec':
('{"__type__": "PathSpec", "location": "log/syslog.1", '
'"type_indicator": "FAKE"}'),
'some_additional_foo':
True,
'source_long':
'Log File',
'source_short':
'LOG',
'tag': ['Test'],
'text': ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
'session\n closed for user root)'),
'timestamp':
1340821021000000,
'timestamp_desc':
'Content Modification Time',
}
self.assertIsInstance(event_values, dict)
self.assertEqual(event_values, expected_event_values)
def testFormatType(self):
"""Tests the _FormatType function."""
output_mediator = self._CreateOutputMediator()
formatting_helper = l2t_csv.L2TCSVFieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
type_string = formatting_helper._FormatType(
event, event_data, event_data_stream)
self.assertEqual(type_string, 'Content Modification Time')
def testFormatFilename(self):
"""Tests the _FormatFilename function."""
output_mediator = self._CreateOutputMediator()
test_helper = formatting_helper.FieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
filename_string = test_helper._FormatFilename(event, event_data,
event_data_stream)
self.assertEqual(filename_string, 'log/syslog.1')
def testFormatVersion(self):
"""Tests the _FormatVersion function."""
output_mediator = self._CreateOutputMediator()
formatting_helper = l2t_csv.L2TCSVFieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
version_string = formatting_helper._FormatVersion(
event, event_data, event_data_stream)
self.assertEqual(version_string, '2')
def testFormatDateTime(self):
"""Tests the _FormatDateTime function with dynamic time."""
output_mediator = self._CreateOutputMediator(dynamic_time=True)
test_helper = formatting_helper.FieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
date_time_string = test_helper._FormatDateTime(event, event_data,
event_data_stream)
self.assertEqual(date_time_string, '2012-06-27T18:17:01.000000+00:00')
output_mediator.SetTimeZone('Europe/Amsterdam')
date_time_string = test_helper._FormatDateTime(event, event_data,
event_data_stream)
self.assertEqual(date_time_string, '2012-06-27T20:17:01.000000+02:00')
output_mediator.SetTimeZone('UTC')
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[1]))
event.date_time._time_zone_offset = 120
date_time_string = test_helper._FormatDateTime(event, event_data,
event_data_stream)
self.assertEqual(date_time_string, '2012-06-27T18:17:01.000000+00:00')
event.date_time = dfdatetime_semantic_time.InvalidTime()
date_time_string = test_helper._FormatDateTime(event, event_data,
event_data_stream)
self.assertEqual(date_time_string, 'Invalid')
# Test with event.is_local_time
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event.timestamp -= 120 * 60 * 1000000
event.date_time.is_local_time = True
date_time_string = test_helper._FormatDateTime(event, event_data,
event_data_stream)
self.assertEqual(date_time_string, '2012-06-27T16:17:01.000000+00:00')
def testGetFormattedField(self):
"""Tests the GetFormattedField function."""
output_mediator = self._CreateOutputMediator()
dynamic_fields_helper = dynamic.DynamicFieldsHelper(output_mediator)
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
zone_string = dynamic_fields_helper.GetFormattedField(
event, event_data, None, 'zone')
self.assertEqual(zone_string, 'UTC')
def testGetFormattedField(self):
"""Tests the GetFormattedField function."""
output_mediator = self._CreateOutputMediator()
test_helper = TestFieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
zone_string = test_helper.GetFormattedField('zone', event, event_data,
event_data_stream, None)
self.assertEqual(zone_string, 'UTC')
def testPushEvent(self):
"""Tests the PushEvent function."""
test_heap = event_heap.EventHeap()
self.assertEqual(len(test_heap._heap), 0)
event, _, _ = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
test_heap.PushEvent(event, 0)
self.assertEqual(len(test_heap._heap), 1)
def test_FormatTimestamp(self):
"""Tests the __FormatTimestamp function."""
output_mediator = self._CreateOutputMediator()
formatting_helper = tln.TLNFieldFormattingHelper(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
timestamp_string = formatting_helper._FormatTimestamp(
event, event_data, event_data_stream)
self.assertEqual(timestamp_string, '1340821021')
def testPushEvent(self):
"""Tests the PushEvent function."""
event_heap = psort.PsortEventHeap()
self.assertEqual(len(event_heap._heap), 0)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event_heap.PushEvent(event, event_data, event_data_stream)
self.assertEqual(len(event_heap._heap), 1)
def testParseWithEvents(self):
"""Tests the Parse function with events."""
event, event_data, _ = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
event_tag = events.EventTag()
event_tag.AddLabel('browser_search')
self._CheckIfExpressionMatches('filename contains \'GoodFella\'',
event, event_data, None, event_tag,
True)
# Test timestamp filtering.
self._CheckIfExpressionMatches('timestamp >= \'2015-11-18\'', event,
event_data, None, event_tag, True)
self._CheckIfExpressionMatches('timestamp < \'2015-11-19\'', event,
event_data, None, event_tag, True)
expression = ('timestamp < \'2015-11-18T01:15:44.341\' and '
'timestamp > \'2015-11-18 01:15:42\'')
self._CheckIfExpressionMatches(expression, event, event_data, None,
event_tag, True)
self._CheckIfExpressionMatches('timestamp > \'2015-11-19\'', event,
event_data, None, event_tag, False)
# Perform few attribute tests.
self._CheckIfExpressionMatches('filename not contains \'sometext\'',
event, event_data, None, event_tag,
True)
expression = (
'timestamp_desc CONTAINS \'written\' AND timestamp > \'2015-11-18\' '
'AND timestamp < \'2015-11-25 12:56:21\'')
self._CheckIfExpressionMatches(expression, event, event_data, None,
event_tag, True)
self._CheckIfExpressionMatches('parser is not \'Made\'', event,
event_data, None, event_tag, True)
self._CheckIfExpressionMatches('parser is not \'Weirdo\'', event,
event_data, None, event_tag, False)
self._CheckIfExpressionMatches('tag contains \'browser_search\'',
event, event_data, None, event_tag,
True)
# Test multiple attributes.
self._CheckIfExpressionMatches(
'text iregexp \'bad, bad thing [a-zA-Z\\\\s.]+ evil\'', event,
event_data, None, event_tag, True)
