def GetMessages(self, formatter_mediator, event_data):
"""Determines the formatted message strings for the event data.
Args:
formatter_mediator (FormatterMediator): mediates the interactions
between formatters and other components, such as storage and Windows
EventLog resources.
event_data (EventData): event data.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event data cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_data.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_data.data_type))
event_values = event_data.CopyToDict()
file_reference = event_values.get('file_reference', None)
if file_reference:
event_values['file_reference'] = '{0:d}-{1:d}'.format(
file_reference & 0xffffffffffff, file_reference >> 48)
parent_file_reference = event_values.get('parent_file_reference', None)
if parent_file_reference:
event_values['parent_file_reference'] = '{0:d}-{1:d}'.format(
parent_file_reference & 0xffffffffffff,
parent_file_reference >> 48)
update_reason_flags = event_values.get('update_reason_flags', 0)
update_reasons = []
for bitmask, description in sorted(self._USN_REASON_FLAGS.items()):
if bitmask & update_reason_flags:
update_reasons.append(description)
event_values['update_reason'] = ', '.join(update_reasons)
update_source_flags = event_values.get('update_source_flags', 0)
update_sources = []
for bitmask, description in sorted(self._USN_SOURCE_FLAGS.items()):
if bitmask & update_source_flags:
update_sources.append(description)
event_values['update_source'] = ', '.join(update_sources)
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.GetValues()
event_type = event_values.get(u'event_type', None)
if event_type is not None:
event_values[u'event_type'] = self.GetEventTypeString(event_type)
# TODO: add string representation of facility.
severity = event_values.get(u'severity', None)
if severity is not None:
event_values[u'severity'] = self.GetSeverityString(severity)
source_name = event_values.get(u'source_name', None)
message_identifier = event_values.get(u'message_identifier', None)
strings = event_values.get(u'strings', [])
if source_name and message_identifier:
message_string = formatter_mediator.GetWindowsEventMessage(
source_name, message_identifier)
if message_string:
event_values[u'message_string'] = message_string.format(
*strings)
message_strings = []
for string in strings:
message_strings.append(u'\'{0:s}\''.format(string))
message_string = u', '.join(message_strings)
event_values[u'strings'] = u'[{0:s}]'.format(message_string)
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event.data_type))
event_values = event.CopyToDict()
primary_url = event_values['primary_url']
secondary_url = event_values['secondary_url']
# There is apparently a bug, either in GURL.cc or
# content_settings_pattern.cc where URLs with file:// scheme are stored in
# the URL as an empty string, which is later detected as being Invalid, and
# Chrome produces the following example logs:
# content_settings_pref.cc(469)] Invalid pattern strings: https://a.com:443,
# content_settings_pref.cc(295)] Invalid pattern strings: ,
# content_settings_pref.cc(295)] Invalid pattern strings: ,*
# More research needed, could be related to https://crbug.com/132659
if primary_url == '':
subject = 'local file'
elif primary_url == secondary_url or secondary_url == '*':
subject = primary_url
elif secondary_url == '':
subject = '{0:s} embedded in local file'.format(primary_url)
else:
subject = '{0:s} embedded in {1:s}'.format(primary_url, secondary_url)
event_values['subject'] = subject
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.GetValues()
file_reference = event_values.get(u'file_reference', None)
if file_reference:
event_values[u'file_reference'] = u'{0:d}-{1:d}'.format(
file_reference & 0xffffffffffff, file_reference >> 48)
parent_file_reference = event_values.get(u'parent_file_reference', None)
if parent_file_reference:
event_values[u'parent_file_reference'] = u'{0:d}-{1:d}'.format(
parent_file_reference & 0xffffffffffff, parent_file_reference >> 48)
update_reason_flags = event_values.get(u'update_reason_flags', 0)
update_reasons = []
for bitmask, description in sorted(self._USN_REASON_FLAGS.items()):
if bitmask & update_reason_flags:
update_reasons.append(description)
event_values[u'update_reason'] = u', '.join(update_reasons)
update_source_flags = event_values.get(u'update_source_flags', 0)
update_sources = []
for bitmask, description in sorted(self._USN_SOURCE_FLAGS.items()):
if bitmask & update_source_flags:
update_sources.append(description)
event_values[u'update_source'] = u', '.join(update_sources)
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(event.data_type))
event_values = event.CopyToDict()
event = event_values.get(u'event', None)
if event:
event_values[u'event_map'] = self.EVENT_NAMES.get(
event, u'Unknown')
category = event_values.get(u'cat', None)
if category:
event_values[u'category_map'] = self.CATEGORY_NAMES.get(
category, u'Unknown')
action = event_values.get(u'action0', None)
if action:
event_values[u'action0_map'] = self.ACTION_0_NAMES.get(
action, u'Unknown')
action = event_values.get(u'action1', None)
if action:
event_values[u'action1_map'] = self.ACTION_1_2_NAMES.get(
action, u'Unknown')
action = event_values.get(u'action2', None)
if action:
event_values[u'action2_map'] = self.ACTION_1_2_NAMES.get(
action, u'Unknown')
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter(
u'Invalid event object - unsupported data type: {0:s}'.format(
event.data_type))
event_values = event.CopyToDict()
number_of_volumes = event_values.get(u'number_of_volumes', 0)
volume_serial_numbers = event_values.get(u'volume_serial_numbers',
None)
volume_device_paths = event_values.get(u'volume_device_paths', None)
volumes_strings = []
for volume_index in range(0, number_of_volumes):
if not volume_serial_numbers:
volume_serial_number = u'UNKNOWN'
else:
volume_serial_number = volume_serial_numbers[volume_index]
if not volume_device_paths:
volume_device_path = u'UNKNOWN'
else:
volume_device_path = volume_device_paths[volume_index]
volumes_strings.append(
(u'volume: {0:d} [serial number: 0x{1:08X}, device path: '
u'{2:s}]').format(volume_index + 1, volume_serial_number,
volume_device_path))
if volumes_strings:
event_values[u'volumes_string'] = u', '.join(volumes_strings)
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.GetValues()
event = event_values.get(u'event', None)
if event:
event_values[u'event_map'] = self.EVENT_NAMES.get(
event, u'Unknown')
category = event_values.get(u'cat', None)
if category:
event_values[u'category_map'] = self.CATEGORY_NAMES.get(
category, u'Unknown')
action = event_values.get(u'action0', None)
if action:
event_values[u'action0_map'] = self.ACTION_0_NAMES.get(
action, u'Unknown')
action = event_values.get(u'action1', None)
if action:
event_values[u'action1_map'] = self.ACTION_1_2_NAMES.get(
action, u'Unknown')
action = event_values.get(u'action2', None)
if action:
event_values[u'action2_map'] = self.ACTION_1_2_NAMES.get(
action, u'Unknown')
return self._ConditionalFormatMessages(event_values)
def GetSources(self, event):
"""Determines the the short and long source for an event object.
Args:
event (EventObject): event.
Returns:
tuple(str, str): short and long source string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event.data_type))
return self.SOURCE_SHORT, self.SOURCE_LONG
def GetMessages(self, unused_formatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Invalid event object - unsupported data type: {0:s}'.format(
event_object.data_type))
event_values = event_object.CopyToDict()
number_of_volumes = event_values.get(u'number_of_volumes', 0)
volume_serial_numbers = event_values.get(u'volume_serial_numbers',
None)
volume_device_paths = event_values.get(u'volume_device_paths', None)
volumes_strings = []
for volume_index in range(0, number_of_volumes):
if not volume_serial_numbers:
volume_serial_number = u'UNKNOWN'
else:
volume_serial_number = volume_serial_numbers[volume_index]
if not volume_device_paths:
volume_device_path = u'UNKNOWN'
else:
volume_device_path = volume_device_paths[volume_index]
volumes_strings.append(
(u'volume: {0:d} [serial number: 0x{1:08X}, device path: '
u'{2:s}]').format(volume_index + 1, volume_serial_number,
volume_device_path))
if volumes_strings:
event_values[u'volumes_string'] = u', '.join(volumes_strings)
return self._ConditionalFormatMessages(event_values)
def GetSources(self, event_object):
"""Returns a list of source short and long messages for the event."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
self.source_string = getattr(event_object, 'source_long', None)
if not self.source_string:
registry_type = getattr(event_object, 'registry_type', 'UNKNOWN')
self.source_string = u'{0:s} key'.format(registry_type)
if hasattr(event_object, 'source_append'):
self.source_string += u' {0:s}'.format(event_object.source_append)
return super(WinRegistryGenericFormatter,
self).GetSources(event_object)
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {:s}.'.format(
event_object.data_type))
# Using getattr here to make sure the attribute is not set to None.
# if A.b = None, hasattr(A, b) is True but getattr(A, b, None) is False.
string_pieces = []
for map_index, attribute_name in enumerate(
self._format_string_pieces_map):
if not attribute_name or hasattr(event_object, attribute_name):
if attribute_name:
attribute = getattr(event_object, attribute_name, None)
# If an attribute is an int, yet has zero value we want to include
# that in the format string, since that is still potentially valid
# information. Otherwise we would like to skip it.
if type(attribute) not in (bool, int, long,
float) and not attribute:
continue
string_pieces.append(self.FORMAT_STRING_PIECES[map_index])
self.format_string = unicode(
self.FORMAT_STRING_SEPARATOR.join(string_pieces))
string_pieces = []
for map_index, attribute_name in enumerate(
self._format_string_short_pieces_map):
if not attribute_name or getattr(event_object, attribute_name,
None):
string_pieces.append(
self.FORMAT_STRING_SHORT_PIECES[map_index])
self.format_string_short = unicode(
self.FORMAT_STRING_SEPARATOR.join(string_pieces))
return super(ConditionalEventFormatter, self).GetMessages(event_object)
def GetMessages(self, formatter_mediator, event_data):
"""Determines the formatted message strings for the event data.
Args:
formatter_mediator (FormatterMediator): mediates the interactions
between formatters and other components, such as storage and Windows
EventLog resources.
event_data (EventData): event data.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event data cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_data.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_data.data_type))
event_values = event_data.CopyToDict()
attribute_type = event_values.get('attribute_type', 0)
event_values['attribute_name'] = self._ATTRIBUTE_NAMES.get(
attribute_type, 'UNKNOWN')
file_reference = event_values.get('file_reference', None)
if file_reference:
event_values['file_reference'] = '{0:d}-{1:d}'.format(
file_reference & 0xffffffffffff, file_reference >> 48)
parent_file_reference = event_values.get('parent_file_reference', None)
if parent_file_reference:
event_values['parent_file_reference'] = '{0:d}-{1:d}'.format(
parent_file_reference & 0xffffffffffff,
parent_file_reference >> 48)
if not event_values.get('is_allocated', False):
event_values['unallocated'] = 'unallocated'
path_hints = event_values.get('path_hints', [])
if path_hints:
event_values['path_hints'] = ';'.join(path_hints)
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event.data_type))
event_values = event.CopyToDict()
source_name = event_values.get('source_name', None)
message_identifier = event_values.get('message_identifier', None)
strings = event_values.get('strings', [])
if source_name and message_identifier:
message_string = formatter_mediator.GetWindowsEventMessage(
source_name, message_identifier)
if message_string:
try:
event_values['message_string'] = message_string.format(
*strings)
except IndexError:
pass
message_strings = []
for string in strings:
if string:
message_strings.append('\'{0:s}\''.format(string))
message_string = ', '.join(message_strings)
event_values['strings'] = '[{0:s}]'.format(message_string)
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
if not getattr(event_object, 'allocated', True):
event_object.unallocated = u'unallocated'
return super(PfileStatFormatter, self).GetMessages(event_object)
def GetMessages(self, unused_ormatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.CopyToDict()
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.CopyToDict()
attribute_type = event_values.get(u'attribute_type', 0)
event_values[u'attribute_name'] = self._ATTRIBUTE_NAMES.get(
attribute_type, u'UNKNOWN')
file_reference = event_values.get(u'file_reference', None)
if file_reference:
event_values[u'file_reference'] = u'{0:d}-{1:d}'.format(
file_reference & 0xffffffffffff, file_reference >> 48)
parent_file_reference = event_values.get(u'parent_file_reference',
None)
if parent_file_reference:
event_values[u'parent_file_reference'] = u'{0:d}-{1:d}'.format(
parent_file_reference & 0xffffffffffff,
parent_file_reference >> 48)
if not event_values.get(u'is_allocated', False):
event_values[u'unallocated'] = u'unallocated'
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_data):
"""Determines the formatted message strings for the event data.
Args:
formatter_mediator (FormatterMediator): mediates the interactions
between formatters and other components, such as storage and Windows
EventLog resources.
event_data (EventData): event data.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event data cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_data.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_data.data_type))
event_values = event_data.CopyToDict()
values = event_values.get('values', None)
if values is None:
# TODO: remove regvalue, which is kept for backwards compatibility.
regvalue = event_values.get('regvalue', {})
string_parts = []
for key, value in sorted(regvalue.items()):
string_parts.append('{0:s}: {1!s}'.format(key, value))
values = ' '.join(string_parts)
event_values['values'] = values
if not values:
event_values['values'] = '(empty)'
if 'key_path' in event_values:
format_string = self.FORMAT_STRING
else:
format_string = self.FORMAT_STRING_ALTERNATIVE
return self._FormatMessages(
format_string, self.FORMAT_STRING_SHORT, event_values)
def GetMessages(self, formatter_mediator, event_data):
"""Determines the formatted message strings for the event data.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event_data (EventData): event data.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event data cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_data.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_data.data_type))
event_values = event_data.CopyToDict()
error_control = event_values.get('error_control', None)
if error_control is not None:
error_control = (
human_readable_service_enums.SERVICE_ENUMS['ErrorControl'].get(
error_control, error_control))
event_values['error_control'] = error_control
service_type = event_values.get('service_type', None)
if service_type is not None:
service_type = human_readable_service_enums.SERVICE_ENUMS[
'Type'].get(service_type, service_type)
event_values['service_type'] = service_type
start_type = event_values.get('start_type', None)
if start_type is not None:
start_type = human_readable_service_enums.SERVICE_ENUMS[
'Start'].get(start_type, start_type)
event_values['start_type'] = start_type
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event.data_type))
event_values = event.CopyToDict()
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, event_object):
"""Return the message strings."""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
transition = self._URL_TRANSITIONS.get(
getattr(event_object, 'visit_type', 0), None)
if transition:
transition_str = u'Transition: {0!s}'.format(transition)
if hasattr(event_object, 'extra'):
if transition:
event_object.extra.append(transition_str)
event_object.extra_string = u' '.join(event_object.extra)
elif transition:
event_object.extra_string = transition_str
return super(FirefoxPageVisitFormatter, self).GetMessages(event_object)
def GetSources(self, event):
"""Determines the the short and long source for an event object.
Args:
event (EventObject): event.
Returns:
tuple(str, str): short and long source string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event.data_type))
file_system_type = getattr(event, 'file_system_type', 'UNKNOWN')
timestamp_desc = getattr(event, 'timestamp_desc', 'Time')
source_long = '{0:s} {1:s}'.format(file_system_type, timestamp_desc)
return self.SOURCE_SHORT, source_long
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
# Update event object with the event type string.
event_object.event_type_string = self.GetEventTypeString(
event_object.event_type)
return super(WinEvtFormatter, self).GetMessages(event_object)
def GetSources(self, event_object):
"""Determines the the short and long source for an event object.
Args:
event_object: the event object (instance of EventObject).
Returns:
A tuple of the short and long source string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_object.data_type))
fs_type = getattr(event_object, u'fs_type', u'Unknown FS')
timestamp_desc = getattr(event_object, u'timestamp_desc', u'Time')
source_long = u'{0:s} {1:s}'.format(fs_type, timestamp_desc)
return self.SOURCE_SHORT, source_long
def GetMessages(self, event_object):
"""Format the message string."""
if event_object.data_type != self.DATA_TYPE:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
# TODO: Move this to a more generic GA cookie formatter once
# more cookie parsers are implemented, since this should be a
# shared code.
# Create a separate cookie formatter that will handle them in a
# generic sense and have this ineherit from that.
ga_cookie = getattr(event_object, 'cookie_name', 'N/A')
ga_data = []
if ga_cookie == '__utmz':
ga_data.append(u'Sessions: {}'.format(
getattr(event_object, 'sessions', 0)))
ga_data.append(u'Domain Hash: {}'.format(
getattr(event_object, 'domain_hash', 'N/A')))
ga_data.append(u'Sources: {}'.format(
getattr(event_object, 'sources', 0)))
ga_data.append(u'Variables: {}'.format(u' '.join(
getattr(event_object, 'extra', []))))
elif ga_cookie == '__utmb':
ga_data.append(u'Pages Viewed: {}'.format(
getattr(event_object, 'pages_viewed', 0)))
ga_data.append(u'Domain Hash: {}'.format(
getattr(event_object, 'domain_hash', 'N/A')))
elif ga_cookie == '__utma':
ga_data.append(u'Sessions: {}'.format(
getattr(event_object, 'sessions', 0)))
ga_data.append(u'Domain Hash: {}'.format(
getattr(event_object, 'domain_hash', 'N/A')))
ga_data.append(u'Visitor ID: {}'.format(
getattr(event_object, 'domain_hash', 'N/A')))
if ga_data:
event_object.ga_data = u' - '.join(ga_data)
return super(ChromeCookieFormatter, self).GetMessages(event_object)
def GetMessages(self, unused_formatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.CopyToDict()
http_headers = event_values.get(u'http_headers', None)
if http_headers:
event_values[u'http_headers'] = http_headers.replace(
u'\r\n', u' - ')
if event_values.get(u'recovered', None):
event_values[u'recovered_string'] = u'[Recovered Entry]'
cached_file_path = event_values.get(u'cached_filename', None)
if cached_file_path:
cache_directory_name = event_values.get(u'cache_directory_name',
None)
if cache_directory_name:
cached_file_path = u'\\'.join(
[cache_directory_name, cached_file_path])
event_values[u'cached_file_path'] = cached_file_path
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator (FormatterMediator): mediates the interactions between
formatters and other components, such as storage and Windows EventLog
resources.
event (EventObject): event.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(event.data_type))
event_values = event.CopyToDict()
http_headers = event_values.get(u'http_headers', None)
if http_headers:
event_values[u'http_headers'] = http_headers.replace(
u'\r\n', u' - ')
if event_values.get(u'recovered', None):
event_values[u'recovered_string'] = u'[Recovered Entry]'
cached_file_path = event_values.get(u'cached_filename', None)
if cached_file_path:
cache_directory_name = event_values.get(u'cache_directory_name',
None)
if cache_directory_name:
cached_file_path = u'\\'.join(
[cache_directory_name, cached_file_path])
event_values[u'cached_file_path'] = cached_file_path
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_data):
"""Determines the formatted message strings for the event data.
Args:
formatter_mediator (FormatterMediator): mediates the interactions
between formatters and other components, such as storage and Windows
EventLog resources.
event_data (EventData): event data.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event data cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_data.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_data.data_type))
event_values = event_data.CopyToDict()
priority_level = event_values.get('level', None)
if isinstance(priority_level, int):
event_values['level'] = '{0:s} ({1:d})'.format(
self._PRIORITY_LEVELS.get(priority_level, 'UNKNOWN'),
priority_level)
# If no rights are assigned the value is 0xffffffff (-1).
read_uid = event_values.get('read_uid', None)
if read_uid == -1:
event_values['read_uid'] = 'ALL'
# If no rights are assigned the value is 0xffffffff (-1).
read_gid = event_values.get('read_gid', None)
if read_gid == -1:
event_values['read_gid'] = 'ALL'
# TODO: get the real name for the user of the group having the uid or gid.
return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_data):
"""Determines the formatted message strings for the event data.
Args:
formatter_mediator (FormatterMediator): mediates the interactions
between formatters and other components, such as storage and Windows
EventLog resources.
event_data (EventData): event data.
Returns:
tuple(str, str): formatted message string and short message string.
Raises:
WrongFormatter: if the event data cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_data.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_data.data_type))
event_values = event_data.CopyToDict()
return self._FormatMessages(self.FORMAT_STRING,
self.FORMAT_STRING_SHORT, event_values)
def GetMessages(self, unused_formatter_mediator, event_object):
"""Determines the formatted message strings for an event object.
Args:
formatter_mediator: the formatter mediator object (instance of
FormatterMediator).
event_object: the event object (instance of EventObject).
Returns:
A tuple containing the formatted message string and short message string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
event_values = event_object.CopyToDict()
priority_level = event_values.get(u'level', None)
if isinstance(priority_level, py2to3.INTEGER_TYPES):
event_values[u'level'] = u'{0:s} ({1:d})'.format(
self._PRIORITY_LEVELS.get(priority_level, u'UNKNOWN'),
priority_level)
# If no rights are assigned the value is 0xffffffff (-1).
read_uid = event_values.get(u'read_uid', None)
if read_uid == 0xffffffff:
event_values[u'read_uid'] = u'ALL'
# If no rights are assigned the value is 0xffffffff (-1).
read_gid = event_values.get(u'read_gid', None)
if read_gid == 0xffffffff:
event_values[u'read_gid'] = u'ALL'
# TODO: get the real name for the user of the group having the uid or gid.
return self._ConditionalFormatMessages(event_values)
def GetSources(self, event):
"""Determines the the short and long source for an event object.
Args:
event (EventObject): event.
Returns:
tuple(str, str): short and long source string.
Raises:
WrongFormatter: if the event object cannot be formatted by the formatter.
"""
if self.DATA_TYPE != event.data_type:
raise errors.WrongFormatter(
u'Unsupported data type: {0:s}.'.format(event.data_type))
source_long = getattr(event, u'source_long', u'UNKNOWN')
source_append = getattr(event, u'source_append', None)
if source_append:
source_long = u'{0:s} {1:s}'.format(source_long, source_append)
return self.SOURCE_SHORT, source_long