def testTimeSeries(self):
"""Check that timeseries sort events by timestamps."""
path = "/C.1/time series 1"
fd = aff4.FACTORY.Create(path, timeline.GRRTimeSeries, token=self.token)
# Make up some random events in random time order.
now = int(time.time() * 1000000)
times = [random.randint(0, 1000) * 1000000 + now for _ in range(100)]
for t in times:
event = timeline.Event(timestamp=t)
event.stat.st_mtime = t / 1000000
event.stat.pathspec.path = time.ctime(t / 1000000)
fd.AddEvent(event)
fd.Close()
# Now read back the events and make sure they are in time order.
times.sort()
fd = aff4.FACTORY.Open(path, token=self.token)
count = 0
for t, event in zip(times, fd):
self.assertEqual(event.timestamp, t)
count += 1
self.assertGreater(fd.Get(fd.Schema.SIZE), 0)
self.assertEqual(count, len(times))
def CreateTimeline(self):
"""Populate the timeline with the MAC data."""
child_urns = self._ListVFSChildren([self.state.urn])
attribute = aff4.Attribute.GetAttributeByName("stat")
with aff4.FACTORY.Create(self.runner.output_urn,
timeline.GRRTimeSeries,
token=self.token) as timeseries:
for subject, values in data_store.DB.MultiResolvePrefix(
child_urns,
attribute.predicate,
token=self.token,
limit=10000000):
for _, serialized, _ in values:
stat = rdf_client.StatEntry(serialized)
event = timeline.Event(source=utils.SmartUnicode(subject),
stat=stat)
# Add a new event for each MAC time if it exists.
for c in "mac":
timestamp = getattr(stat, "st_%stime" % c)
if timestamp is not None:
event.timestamp = timestamp * 1000000
event.type = "file.%stime" % c
# We are taking about the file which is a direct child of the
# source.
event.subject = utils.SmartUnicode(subject)
timeseries.AddEvent(event)
def testTimeSeriesQuery(self):
"""Check that we can filter by query string."""
path = "/C.1/time series 2"
fd = aff4.FACTORY.Create(path,
timeline.GRRTimeSeries,
token=self.token)
times = [1321533293629468, 1321633293629468, 1321733293629468]
for t in times:
event = timeline.Event(timestamp=t)
event.stat.st_mtime = t / 1000000
event.stat.pathspec.path = time.strftime("Path @ %a %b %d %T %Y",
time.gmtime(t / 1000000))
fd.AddEvent(event)
fd.Close()
fd = aff4.FACTORY.Open(path, token=self.token)
# Check that we can filter the events
results = list(fd.Query("timestamp > 2000"))
self.assertEqual(len(results), 3)
# Match by timestamp
results = list(
fd.Query("timestamp >= 2011/11/18 and timestamp < 2011/11/19"))
self.assertEqual(len(results), 1)
self.assertEqual(results[0].event.timestamp, 1321633293629468)
# Test if <= works as expected.
results = list(
fd.Query("timestamp >= 2011/11/18 and timestamp <= 2011/11/19"))
self.assertEqual(len(results), 2)
# Match within the embedded stat protobuf
results = list(
fd.Query(
"event.stat.st_mtime >= 2011/11/18 and event.stat.st_mtime < 2011/11/19"
))
self.assertEqual(len(results), 1)
self.assertEqual(results[0].event.timestamp, 1321633293629468)
# Match a string deeply nested in protobufs
results = list(fd.Query("event.stat.pathspec.path contains Fri"))
self.assertEqual(len(results), 1)
self.assertEqual(results[0].event.timestamp, 1321633293629468)