def _SendContainerToStorage(file_entry, storage_queue_producer):
"""Read events from a event container and send them to storage.
Args:
file_entry: The file entry object (instance of dfvfs.FileEntry).
storage_queue_producer: the storage queue producer (instance of
EventObjectQueueProducer).
"""
stat_object = file_entry.GetStat()
fs_type = filestat.StatEvents.GetFileSystemTypeFromFileEntry(file_entry)
for event_object in filestat.StatEvents.GetEventsFromStat(
stat_object, fs_type):
# TODO: dfVFS refactor: move display name to output since the path
# specification contains the full information.
event_object.display_name = u'{0:s}:{1:s}'.format(
file_entry.path_spec.type_indicator, file_entry.name)
event_object.filename = file_entry.name
event_object.pathspec = file_entry.path_spec
event_object.parser = u'filestat'
event_object.inode = utils.GetInodeValue(stat_object.ino)
storage_queue_producer.ProduceEventObject(event_object)
def ProcessEvent(
self, event_object, parser_name=None, plugin_name=None, file_entry=None,
query=None):
"""Processes an event before it is emitted to the event queue.
Args:
event_object: the event object (instance of EventObject).
parser_name: Optional name of the parser. The default is None.
plugin_name: Optional name of the plugin. The default is None.
file_entry: optional file entry object (instance of dfvfs.FileEntry).
The default is None.
query: Optional query string. The default is None.
"""
if not getattr(event_object, 'parser', None) and parser_name:
event_object.parser = parser_name
if not getattr(event_object, 'plugin', None) and plugin_name:
event_object.plugin = plugin_name
# TODO: deperecate text_prepend in favor of an event tag.
if not getattr(event_object, 'text_prepend', None) and self._text_prepend:
event_object.text_prepend = self._text_prepend
display_name = None
if file_entry:
event_object.pathspec = file_entry.path_spec
if not getattr(event_object, 'filename', None):
event_object.filename = self.GetRelativePath(file_entry)
if not display_name:
# TODO: dfVFS refactor: move display name to output since the path
# specification contains the full information.
display_name = self.GetDisplayName(file_entry)
stat_object = file_entry.GetStat()
inode_number = getattr(stat_object, 'ino', None)
if not hasattr(event_object, 'inode') and inode_number:
# TODO: clean up the GetInodeValue function.
event_object.inode = utils.GetInodeValue(inode_number)
if not getattr(event_object, 'display_name', None) and display_name:
event_object.display_name = display_name
if not getattr(event_object, 'hostname', None) and self.hostname:
event_object.hostname = self.hostname
if not getattr(event_object, 'username', None):
user_sid = getattr(event_object, 'user_sid', None)
username = self._knowledge_base.GetUsernameByIdentifier(user_sid)
if username:
event_object.username = username
if not getattr(event_object, 'query', None) and query:
event_object.query = query
def _ParseEvent(self, event_object, file_entry, parser_name, stat_obj):
"""Adjust value of an extracted EventObject before storing it."""
# TODO: Make some more adjustments to the event object.
# Need to apply time skew, and other information extracted from
# the configuration of the tool.
# TODO: deperecate text_prepend in favor of an event tag.
if self._text_prepend:
event_object.text_prepend = self._text_prepend
file_path = getattr(file_entry.path_spec, 'location', file_entry.name)
# If we are parsing a mount point we don't want to include the full
# path to file's location here, we are only interested in the relative
# path to the mount point.
# TODO: Solve this differently, quite possibly inside dfVFS using mount
# path spec.
type_indicator = file_entry.path_spec.type_indicator
if (type_indicator == dfvfs_definitions.TYPE_INDICATOR_OS
and self._mount_path):
if self._mount_path:
_, _, file_path = file_path.partition(self._mount_path)
# TODO: dfVFS refactor: move display name to output since the path
# specification contains the full information.
event_object.display_name = u'{0:s}:{1:s}'.format(
file_entry.path_spec.type_indicator, file_path)
if not getattr(event_object, 'filename', None):
event_object.filename = file_path
event_object.pathspec = file_entry.path_spec
event_object.parser = parser_name
if hasattr(self._pre_obj, 'hostname'):
event_object.hostname = self._pre_obj.hostname
if not hasattr(event_object, 'inode') and hasattr(stat_obj, 'ino'):
event_object.inode = utils.GetInodeValue(stat_obj.ino)
# Set the username that is associated to the record.
if getattr(event_object, 'user_sid', None) and self._user_mapping:
username = self._user_mapping.get(event_object.user_sid, None)
if username:
event_object.username = username
if not self._filter_object or self._filter_object.Matches(
event_object):
self._storage_queue_producer.ProduceEventObject(event_object)
self._counter_of_extracted_events += 1
def ProcessEvent(self,
event_object,
parser_chain=None,
file_entry=None,
query=None):
"""Processes an event before it is emitted to the event queue.
Args:
event_object: the event object (instance of EventObject).
parser_chain: Optional string containing the parsing chain up to this
point. The default is None.
file_entry: Optional file entry object (instance of dfvfs.FileEntry).
The default is None, which will default to the current
file entry set in the mediator.
query: Optional query string. The default is None.
"""
if not getattr(event_object, u'parser', None) and parser_chain:
event_object.parser = parser_chain
# TODO: deprecate text_prepend in favor of an event tag.
if not getattr(event_object, u'text_prepend',
None) and self._text_prepend:
event_object.text_prepend = self._text_prepend
if file_entry is None:
file_entry = self._file_entry
display_name = None
if file_entry:
event_object.pathspec = file_entry.path_spec
if not getattr(event_object, u'filename', None):
path_spec = getattr(file_entry, u'path_spec', None)
event_object.filename = self._GetRelativePath(path_spec)
if not display_name:
# TODO: dfVFS refactor: move display name to output since the path
# specification contains the full information.
display_name = self.GetDisplayName(file_entry)
stat_object = file_entry.GetStat()
inode_number = getattr(stat_object, u'ino', None)
if not hasattr(event_object, u'inode') and inode_number:
# TODO: clean up the GetInodeValue function.
event_object.inode = utils.GetInodeValue(inode_number)
if not getattr(event_object, u'display_name', None) and display_name:
event_object.display_name = display_name
if not getattr(event_object, u'hostname', None) and self.hostname:
event_object.hostname = self.hostname
if not getattr(event_object, u'username', None):
user_sid = getattr(event_object, u'user_sid', None)
username = self._knowledge_base.GetUsernameByIdentifier(user_sid)
if username:
event_object.username = username
if not getattr(event_object, u'query', None) and query:
event_object.query = query
for attribute, value in self._extra_event_attributes.iteritems():
if hasattr(event_object, attribute):
raise KeyError(
u'Event already has a value for {0:s}'.format(attribute))
setattr(event_object, attribute, value)