def EventBody(self, event_object):
"""Formats data as 4n6time database table format and writes to the db.
Args:
event_object: The event object (EventObject).
Raises:
raise errors.NoFormatterFound: If no formatter for this event is found.
"""
if not hasattr(event_object, 'timestamp'):
return
formatter = eventdata.EventFormatterManager.GetFormatter(event_object)
if not formatter:
raise errors.NoFormatterFound(
u'Unable to output event, no formatter found.')
if (isinstance(
formatter, formatters.winreg.WinRegistryGenericFormatter) and
formatter.FORMAT_STRING.find('<|>') == -1):
formatter.FORMAT_STRING = u'[{keyname}]<|>{text}<|>'
elif isinstance(formatter, eventdata.ConditionalEventFormatter):
formatter.FORMAT_STRING_SEPARATOR = u'<|>'
elif isinstance(formatter, eventdata.EventFormatter):
formatter.format_string = formatter.format_string.replace('}', '}<|>')
msg, msg_short = formatter.GetMessages(event_object)
source_short, source_long = formatter.GetSources(event_object)
date_use = timelib.Timestamp.CopyToDatetime(
event_object.timestamp, self.zone)
if not date_use:
logging.error(u'Unable to process date for entry: {0:s}'.format(msg))
return
extra = []
format_variables = self.FORMAT_ATTRIBUTE_RE.findall(
formatter.format_string)
for key in event_object.GetAttributes():
if key in utils.RESERVED_VARIABLES or key in format_variables:
continue
extra.append(u'{0:s}: {1!s} '.format(
key, getattr(event_object, key, None)))
extra = u' '.join(extra)
inode = getattr(event_object, 'inode', '-')
if inode == '-':
if (hasattr(event_object, 'pathspec') and
hasattr(event_object.pathspec, 'image_inode')):
inode = event_object.pathspec.image_inode
date_use_string = u'{0}-{1}-{2} {3}:{4}:{5}'.format(
date_use.year, date_use.month, date_use.day, date_use.hour,
date_use.minute, date_use.second)
tags = []
if hasattr(event_object, 'tag'):
if hasattr(event_object.tag, 'tags'):
tags = event_object.tag.tags
else:
tags = u''
else:
tags = u''
taglist = u','.join(tags)
row = (str(self.zone),
helper.GetLegacy(event_object),
source_short,
source_long,
getattr(event_object, 'timestamp_desc', '-'),
getattr(event_object, 'username', '-'),
getattr(event_object, 'hostname', '-'),
msg,
getattr(event_object, 'filename', '-'),
inode,
getattr(event_object, 'notes', '-'),
getattr(event_object, 'parser', '-'),
extra,
date_use_string,
'',
'',
taglist,
'',
getattr(event_object, 'offset', 0),
event_object.store_number,
event_object.store_index,
self.GetVSSNumber(event_object),
getattr(event_object, 'url', '-'),
getattr(event_object, 'record_number', 0),
getattr(event_object, 'event_identifier', '-'),
getattr(event_object, 'event_type', '-'),
getattr(event_object, 'source_name', '-'),
getattr(event_object, 'user_sid', '-'),
getattr(event_object, 'computer_name', '-'),
self.evidence)
try:
self.curs.execute(
'INSERT INTO log2timeline(timezone, MACB, source, '
'sourcetype, type, user, host, description, filename, '
'inode, notes, format, extra, datetime, reportnotes, '
'inreport, tag, color, offset, store_number, '
'store_index, vss_store_number, URL, record_number, '
'event_identifier, event_type, source_name, user_sid, '
'computer_name, evidence) VALUES ('
'%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, '
'%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, '
'%s, %s, %s, %s)', row)
except MySQLdb.Error as exception:
logging.warning(
u'Unable to insert into database with error: {0:s}.'.format(
exception))
self.count += 1
# TODO: Experiment if committing the current transaction
# every 10000 inserts is the optimal approach.
if self.count % 10000 == 0:
self.conn.commit()
if self.set_status:
self.set_status(u'Inserting event: {0:d}'.format(self.count))
def ParseMacb(self, event_object): """Return a legacy MACB representation.""" return helper.GetLegacy(event_object)
def WriteEventBody(self, event_object):
"""Writes the body of an event object to the output.
Each event object contains both attributes that are considered "reserved"
and others that aren't. The 'raw' representation of the object makes a
distinction between these two types as well as extracting the format
strings from the object.
Args:
event_object: the event object (instance of EventObject).
Raises:
raise errors.NoFormatterFound: If no event formatter was found.
"""
if 'timestamp' not in event_object.GetAttributes():
return
event_formatter = formatters_manager.FormattersManager.GetFormatterObject(
event_object.data_type)
if not event_formatter:
raise errors.NoFormatterFound(
'Unable to output event, no event formatter found.')
# TODO: remove this hack part of the storage/output refactor.
# The event formatter class constants should not be changed directly.
if (isinstance(event_formatter,
formatters.winreg.WinRegistryGenericFormatter)
and event_formatter.FORMAT_STRING.find('<|>') == -1):
event_formatter.FORMAT_STRING = u'[{keyname}]<|>{text}<|>'
elif isinstance(event_formatter,
formatters_interface.ConditionalEventFormatter):
event_formatter.FORMAT_STRING_SEPARATOR = u'<|>'
elif isinstance(event_formatter, formatters_interface.EventFormatter):
event_formatter.FORMAT_STRING = event_formatter.FORMAT_STRING.replace(
'}', '}<|>')
msg, _ = event_formatter.GetMessages(self._formatter_mediator,
event_object)
source_short, source_long = event_formatter.GetSources(event_object)
date_use = timelib.Timestamp.CopyToDatetime(event_object.timestamp,
self.zone)
if not date_use:
logging.error(
u'Unable to process date for entry: {0:s}'.format(msg))
return
extra = []
format_variables = event_formatter.GetFormatStringAttributeNames()
for key in event_object.GetAttributes():
if (key in definitions.RESERVED_VARIABLE_NAMES
or key in format_variables):
continue
extra.append(u'{0:s}: {1!s} '.format(
key, getattr(event_object, key, None)))
extra = u' '.join(extra)
inode = getattr(event_object, 'inode', '-')
if inode == '-':
if (hasattr(event_object, 'pathspec')
and hasattr(event_object.pathspec, 'image_inode')):
inode = event_object.pathspec.image_inode
date_use_string = u'{0:04d}-{1:02d}-{2:02d} {3:02d}:{4:02d}:{5:02d}'.format(
date_use.year, date_use.month, date_use.day, date_use.hour,
date_use.minute, date_use.second)
tags = []
if hasattr(event_object, 'tag'):
if hasattr(event_object.tag, 'tags'):
tags = event_object.tag.tags
taglist = ','.join(tags)
row = (str(self.zone), helper.GetLegacy(event_object), source_short,
source_long, getattr(event_object, 'timestamp_desc', '-'),
getattr(event_object, 'username',
'-'), getattr(event_object, 'hostname', '-'), msg,
getattr(event_object, 'filename',
'-'), inode, getattr(event_object, 'notes', '-'),
getattr(event_object, 'parser',
'-'), extra, date_use_string, '', '', taglist, '',
getattr(event_object, 'offset',
0), event_object.store_number, event_object.store_index,
GetVSSNumber(event_object), getattr(event_object, 'url', '-'),
getattr(event_object, 'record_number',
0), getattr(event_object, 'event_identifier', '-'),
getattr(event_object, 'event_type',
'-'), getattr(event_object, 'source_name', '-'),
getattr(event_object, 'user_sid',
'-'), getattr(event_object, 'computer_name',
'-'), self.evidence)
self.curs.execute(
('INSERT INTO log2timeline(timezone, MACB, source, '
'sourcetype, type, user, host, description, filename, '
'inode, notes, format, extra, datetime, reportnotes, inreport,'
'tag, color, offset, store_number, store_index, vss_store_number,'
'URL, record_number, event_identifier, event_type,'
'source_name, user_sid, computer_name, evidence)'
' VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,'
'?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'), row)
self.count += 1
# Commit the current transaction every 10000 inserts.
if self.count % 10000 == 0:
self.conn.commit()
if self.set_status:
self.set_status('Inserting event: {0:d}'.format(self.count))
def EventBody(self, event_object):
"""Formats data as l2t_csv and writes to the filehandle from OutputFormater.
Args:
event_object: The event object (EventObject).
Raises:
errors.NoFormatterFound: If no formatter for that event is found.
"""
if not hasattr(event_object, 'timestamp'):
return
event_formatter = eventdata.EventFormatterManager.GetFormatter(
event_object)
if not event_formatter:
raise errors.NoFormatterFound(
u'Unable to find event formatter for: {0:s}.'.format(
event_object.DATA_TYPE))
msg, msg_short = event_formatter.GetMessages(event_object)
source_short, source_long = event_formatter.GetSources(event_object)
date_use = timelib.Timestamp.CopyToDatetime(event_object.timestamp,
self.zone)
extras = []
format_variables = self.FORMAT_ATTRIBUTE_RE.findall(
event_formatter.format_string)
for key in event_object.GetAttributes():
if key in utils.RESERVED_VARIABLES or key in format_variables:
continue
# Force a string conversion since some of the extra attributes
# can be numbers or bools.
value = getattr(event_object, key)
extras.append(u'{0:s}: {1!s} '.format(key, value))
extra = ' '.join(extras)
inode = getattr(event_object, 'inode', '-')
if inode == '-':
if hasattr(event_object, 'pathspec') and hasattr(
event_object.pathspec, 'image_inode'):
inode = event_object.pathspec.image_inode
hostname = getattr(event_object, 'hostname', u'')
# TODO: move this into a base output class.
username = getattr(event_object, 'username', u'-')
if self.store:
if not hostname:
hostname = self._hostnames.get(event_object.store_number, u'-')
pre_obj = self._preprocesses.get(event_object.store_number)
if pre_obj:
check_user = pre_obj.GetUsernameById(username)
if check_user != '-':
username = check_user
row = (
'{0:02d}/{1:02d}/{2:04d}'.format(date_use.month, date_use.day,
date_use.year),
'{0:02d}:{1:02d}:{2:02d}'.format(date_use.hour, date_use.minute,
date_use.second),
self.zone,
helper.GetLegacy(event_object),
source_short,
source_long,
getattr(event_object, 'timestamp_desc', u'-'),
username,
hostname,
msg_short,
msg,
'2',
getattr(event_object, 'display_name', u'-'),
inode,
getattr(event_object, 'notes', u'-'), # Notes field placeholder.
getattr(event_object, 'parser', u'-'),
extra.replace('\n', u'-').replace('\r', u''))
out_write = u'{0:s}\n'.format(u','.join(
unicode(x).replace(',', u' ') for x in row))
self.filehandle.WriteLine(out_write)
def WriteEventBody(self, event_object):
"""Writes the body of an event object to the output.
Each event object contains both attributes that are considered "reserved"
and others that aren't. The 'raw' representation of the object makes a
distinction between these two types as well as extracting the format
strings from the object.
Args:
event_object: the event object (instance of EventObject).
Raises:
errors.NoFormatterFound: If no formatter for that event is found.
"""
if not hasattr(event_object, u'timestamp'):
return
# TODO: move this to an output module interface.
event_formatter = formatters_manager.FormattersManager.GetFormatterObject(
event_object.data_type)
if not event_formatter:
raise errors.NoFormatterFound(
u'Unable to find event formatter for: {0:s}.'.format(
event_object.data_type))
msg, msg_short = event_formatter.GetMessages(self._formatter_mediator,
event_object)
source_short, source_long = event_formatter.GetSources(event_object)
date_use = timelib.Timestamp.CopyToDatetime(event_object.timestamp,
self.zone)
extras = []
format_variables = event_formatter.GetFormatStringAttributeNames()
for key in event_object.GetAttributes():
if (key in definitions.RESERVED_VARIABLE_NAMES
or key in format_variables):
continue
value = getattr(event_object, key)
# With ! in {1!s} we force a string conversion since some of
# the extra attributes values can be integer, float point or
# boolean values.
extras.append(u'{0:s}: {1!s} '.format(key, value))
extra = u' '.join(extras)
inode = getattr(event_object, u'inode', u'-')
if inode == u'-':
if hasattr(event_object, u'pathspec') and hasattr(
event_object.pathspec, u'image_inode'):
inode = event_object.pathspec.image_inode
hostname = getattr(event_object, u'hostname', u'')
# TODO: move this into a base output class.
username = getattr(event_object, u'username', u'-')
if self.store:
if not hostname:
hostname = self._hostnames.get(event_object.store_number, u'-')
pre_obj = self._preprocesses.get(event_object.store_number)
if pre_obj:
check_user = pre_obj.GetUsernameById(username)
if check_user != u'-':
username = check_user
notes = []
note_string = getattr(event_object, u'notes', None)
if note_string:
notes.append(note_string)
tag = getattr(event_object, u'tag', None)
if tag:
notes.extend(tag.tags)
if not notes:
notes.append(u'-')
row = (u'{0:02d}/{1:02d}/{2:04d}'.format(date_use.month, date_use.day,
date_use.year),
u'{0:02d}:{1:02d}:{2:02d}'.format(date_use.hour,
date_use.minute,
date_use.second), self.zone,
helper.GetLegacy(event_object), source_short, source_long,
getattr(event_object, u'timestamp_desc',
u'-'), username, hostname, msg_short, msg, u'2',
getattr(event_object, u'display_name',
u'-'), inode, u' '.join(notes),
getattr(event_object, u'parser',
u'-'), extra.replace(u'\n', u'-').replace(u'\r', u''))
out_write = u'{0:s}\n'.format(u','.join(
unicode(x).replace(u',', u' ') for x in row))
self.filehandle.WriteLine(out_write)