def _ParseKey(self, mediator, registry_key, value_name):
"""Parses a Windows Registry key for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
value_name (str): name of the Windows Registry value.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
category_message_files = None
registry_value = registry_key.GetValueByName('CategoryMessageFile')
if registry_value:
category_message_files = registry_value.GetDataAsObject()
category_message_files = category_message_files.split(';')
event_message_files = None
registry_value = registry_key.GetValueByName('EventMessageFile')
if registry_value:
event_message_files = registry_value.GetDataAsObject()
event_message_files = event_message_files.split(';')
parameter_message_files = None
registry_value = registry_key.GetValueByName('ParameterMessageFile')
if registry_value:
parameter_message_files = registry_value.GetDataAsObject()
parameter_message_files = parameter_message_files.split(';')
key_path_segments = registry_key.path.split('\\')
log_source = key_path_segments[-1]
log_type = key_path_segments[-2]
windows_event_log_provider = artifacts.WindowsEventLogProviderArtifact(
category_message_files=category_message_files,
event_message_files=event_message_files,
log_source=log_source,
log_type=log_type,
parameter_message_files=parameter_message_files)
try:
mediator.AddWindowsEventLogProvider(windows_event_log_provider)
except KeyError:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
('Unable to set add Windows Event Log provider: {0:s}/{1:s} to '
'knowledge base.').format(log_type, log_source))
def _ParseKey(self, mediator, registry_key, value_name):
"""Parses a Windows Registry key for a preprocessing attribute.
Args:
mediator (PreprocessMediator): mediates interactions between preprocess
plugins and other components, such as storage and knowledge base.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
value_name (str): name of the Windows Registry value or None if not
specified.
Raises:
errors.PreProcessFail: if the preprocessing fails.
"""
registry_value = registry_key.GetValueByName('')
if not registry_value:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'EventLog source missing for: {0:s}'.format(registry_key.name))
return
log_source = registry_value.GetDataAsObject()
event_message_files = None
registry_value = registry_key.GetValueByName('MessageFileName')
if registry_value:
event_message_files = registry_value.GetDataAsObject()
event_message_files = sorted(
filter(None, [
path.strip().lower()
for path in event_message_files.split(';')
]))
provider_identifier = registry_key.name.lower()
windows_event_log_provider = artifacts.WindowsEventLogProviderArtifact(
event_message_files=event_message_files,
identifier=provider_identifier,
log_source=log_source)
try:
mediator.AddWindowsEventLogProvider(windows_event_log_provider)
except KeyError:
mediator.ProducePreprocessingWarning(
self.ARTIFACT_DEFINITION_NAME,
'Unable to set add Windows EventLog provider: {0:s}.',
format(log_source))
def testInitialize(self):
"""Tests the __init__ function."""
attribute_container = artifacts.WindowsEventLogProviderArtifact()
self.assertIsNotNone(attribute_container)