def testUserAccountsProperty(self):
"""Tests the user accounts property."""
knowledge_base_object = knowledge_base.KnowledgeBase()
self.assertEqual(len(knowledge_base_object.user_accounts), 0)
user_account = artifacts.UserAccountArtifact(
identifier='1000', user_directory='/home/testuser',
username='******')
knowledge_base_object.AddUserAccount(user_account)
self.assertEqual(len(knowledge_base_object.user_accounts), 1)
def testAnalyzeEvents(self):
"""Tests the AnalyzeEvents function."""
storage_file_path = self._GetTestFilePath(['psort_test.plaso'])
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
formatter_mediator = formatters_mediator.FormatterMediator()
formatter_mediator.SetPreferredLanguageIdentifier('en-US')
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = null.NullOutputModule(output_mediator_object)
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugins = {'tagging': analysis_plugin}
# TODO: set tag file.
configuration = configurations.ProcessingConfiguration()
test_engine = psort.PsortMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(
knowledge_base_object, storage_writer, output_module, data_location,
analysis_plugins, configuration)
# TODO: assert if tests were successful.
_ = counter
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(
knowledge_base_object, storage_writer, data_location,
analysis_plugins, configuration, event_filter=test_filter)
# TODO: assert if tests were successful.
_ = counter
def testHasUserAccounts(self):
"""Tests the HasUserAccounts function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
self.assertFalse(knowledge_base_object.HasUserAccounts())
user_account = artifacts.UserAccountArtifact(
identifier='1000', user_directory='/home/testuser',
username='******')
knowledge_base_object.AddUserAccount(user_account)
self.assertTrue(knowledge_base_object.HasUserAccounts())
def testAddUserAccount(self):
"""Tests the AddUserAccount function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
user_account = artifacts.UserAccountArtifact(
identifier=u'1000',
user_directory=u'/home/testuser',
username=u'testuser')
knowledge_base_object.AddUserAccount(user_account)
with self.assertRaises(KeyError):
knowledge_base_object.AddUserAccount(user_account)
def testCollectFromFileSystem(self):
"""Tests the CollectFromFileSystem function."""
artifacts_path = self._GetTestFilePath(['artifacts'])
self._SkipIfPathNotExists(artifacts_path)
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader, artifacts_path)
knowledge_base_object = knowledge_base_library.KnowledgeBase()
_ = knowledge_base_object
def testExportEvents(self):
"""Tests the ExportEvents function."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
knowledge_base_object = knowledge_base.KnowledgeBase()
output_writer = cli_test_lib.TestBinaryOutputWriter()
formatters_manager.FormattersManager.Reset()
formatters_directory_path = self._GetDataFilePath(['formatters'])
formatters_manager.FormattersManager.ReadFormattersFromDirectory(
formatters_directory_path)
formatter_mediator = formatters_mediator.FormatterMediator()
formatter_mediator.SetPreferredLanguageIdentifier('en-US')
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object,
formatter_mediator,
data_location=shared_test_lib.TEST_DATA_PATH)
output_module = dynamic.DynamicOutputModule(output_mediator_object)
output_module.SetOutputWriter(output_writer)
configuration = configurations.ProcessingConfiguration()
storage_reader = storage_factory.StorageFactory.CreateStorageReaderForFile(
test_file_path)
test_engine = psort.PsortMultiProcessEngine()
test_engine.ExportEvents(knowledge_base_object, storage_reader,
output_module, configuration)
lines = []
output = output_writer.ReadOutput()
# TODO: add test output writer that produces strings also see:
# https://github.com/log2timeline/plaso/issues/1963
output = codecs.decode(output, 'utf-8')
for line in output.split('\n'):
lines.append(line)
self.assertEqual(len(lines), 22)
expected_line = ('2014-11-18T01:15:43+00:00,'
'Content Modification Time,'
'LOG,'
'Log File,'
'[---] last message repeated 5 times ---,'
'syslog,'
'OS:/tmp/test/test_data/syslog,'
'repeated')
self.assertEqual(lines[14], expected_line)
def _TestProcessPathSpec(
self, storage_writer, path_spec, expected_event_counters,
extraction_worker=None, knowledge_base_values=None,
process_archives=False):
"""Tests processing a path specification.
Args:
storage_writer (StorageWriter): storage writer.
path_spec (dfvfs.PathSpec): path specification.
expected_event_counters (dict[str, int|list[int]]): expected event
counters per event data type.
extraction_worker (Optional[EventExtractorWorker]): worker to process the
path specification. If None, a new worker will be created.
knowledge_base_values (Optional[dict]): knowledge base values.
process_archives (Optional[bool]): whether archive files should be
processed.
"""
knowledge_base_object = knowledge_base.KnowledgeBase()
if knowledge_base_values:
for identifier, value in knowledge_base_values.items():
knowledge_base_object.SetValue(identifier, value)
resolver_context = context.Context()
mediator = parsers_mediator.ParserMediator(
storage_writer, knowledge_base_object,
resolver_context=resolver_context)
if not extraction_worker:
configuration = configurations.ExtractionConfiguration()
configuration.process_archives = process_archives
extraction_worker = worker.EventExtractionWorker()
extraction_worker.SetExtractionConfiguration(configuration)
storage_writer.Open()
try:
storage_writer.WriteSessionStart()
extraction_worker.ProcessPathSpec(mediator, path_spec)
event_source = storage_writer.GetFirstWrittenEventSource()
while event_source:
extraction_worker.ProcessPathSpec(mediator, event_source.path_spec)
event_source = storage_writer.GetNextWrittenEventSource()
storage_writer.WriteSessionCompletion()
if expected_event_counters:
self.CheckEventCounters(storage_writer, expected_event_counters)
finally:
storage_writer.Close()
def testAnalyzeEventsWithEventFilter(self):
"""Tests the AnalyzeEvents function with an event filter."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath(
['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
storage_writer.Open(path=temp_file)
try:
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 2)
test_engine.AnalyzeEvents(session,
knowledge_base_object,
storage_writer,
data_location,
analysis_plugins,
configuration,
event_filter=test_filter,
storage_file_path=temp_directory)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 3)
finally:
storage_writer.Close()
def testGetValue(self):
"""Tests the GetValue function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath()
plugin.Run(self._searcher, knowledge_base_object)
plugin = windows.WindowsHostname()
plugin.Run(self._searcher, knowledge_base_object)
self.assertEqual(knowledge_base_object.hostname, u'WKS-WIN732BITA')
def testSetActiveSession(self):
"""Tests the SetActiveSession function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
knowledge_base_object.SetActiveSession(
'ddda05bedf324cbd99fa8c24b8a0037a')
self.assertEqual(knowledge_base_object._active_session,
'ddda05bedf324cbd99fa8c24b8a0037a')
knowledge_base_object.SetActiveSession(
knowledge_base_object._DEFAULT_ACTIVE_SESSION)
self.assertEqual(knowledge_base_object._active_session,
knowledge_base_object._DEFAULT_ACTIVE_SESSION)
def testInternalAnalyzeEvents(self):
"""Tests the _AnalyzeEvents function."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath([
'tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
self._ReadSessionConfiguration(temp_file, knowledge_base_object)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
test_engine._processing_configuration = configuration
test_engine._session = session
test_engine._storage_file_path = temp_directory
test_engine._StartTaskStorage(definitions.STORAGE_FORMAT_SQLITE)
test_engine._StartAnalysisProcesses(analysis_plugins)
storage_writer.Open(path=temp_file)
try:
events_counter = test_engine._AnalyzeEvents(
storage_writer, analysis_plugins)
finally:
storage_writer.Close()
test_engine._StopAnalysisProcesses()
self.assertIsNotNone(events_counter)
self.assertEqual(events_counter['Events filtered'], 0)
self.assertEqual(events_counter['Events processed'], 38)
def testGetValue(self):
"""Tests the GetValue function."""
plugin = windows.WindowsUsers()
knowledge_base_object = knowledge_base.KnowledgeBase()
plugin.Run(self._win_registry, knowledge_base_object)
users = knowledge_base_object.GetValue(u'users')
self.assertEqual(len(users), 11)
expected_sid = u'S-1-5-21-2036804247-3058324640-2116585241-1114'
self.assertEqual(users[9].get(u'sid', None), expected_sid)
self.assertEqual(users[9].get(u'name', None), u'rsydow')
self.assertEqual(users[9].get(u'path', None), u'C:\\Users\\rsydow')
def testAnalyzeEvents(self):
"""Tests the AnalyzeEvents function."""
storage_file_path = self._GetTestFilePath([u'psort_test.json.plaso'])
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
formatter_mediator = formatters_mediator.FormatterMediator()
formatter_mediator.SetPreferredLanguageIdentifier(u'en-US')
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = null.NullOutputModule(output_mediator_object)
data_location = u''
analysis_plugin = tagging.TaggingAnalysisPlugin()
# TODO: set tag file.
test_engine = psort.PsortMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
counter = test_engine.AnalyzeEvents(
knowledge_base_object, storage_writer, output_module, data_location,
[analysis_plugin])
# TODO: assert if tests were successful.
_ = counter
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
counter = test_engine.AnalyzeEvents(
knowledge_base_object, storage_writer, data_location,
[analysis_plugin], event_filter=test_filter)
# TODO: assert if tests were successful.
_ = counter
def testGetValue(self):
"""Tests the GetValue function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath()
plugin.Run(self._searcher, knowledge_base_object)
plugin = windows.WindowsTimeZone()
plugin.Run(self._searcher, knowledge_base_object)
time_zone_str = knowledge_base_object.GetValue('time_zone_str')
self.assertEqual(time_zone_str, u'EST5EDT')
def testProduceRecoveryWarning(self):
"""Tests the ProduceRecoveryWarning method."""
knowledge_base_object = knowledge_base.KnowledgeBase()
parser_mediator = mediator.ParserMediator(knowledge_base_object)
storage_writer = fake_writer.FakeStorageWriter()
parser_mediator.SetStorageWriter(storage_writer)
storage_writer.Open()
parser_mediator.ProduceRecoveryWarning('test')
self.assertEqual(storage_writer.number_of_events, 0)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 1)
def testGetValue(self):
"""Tests the GetValue function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath()
plugin.Run(self._searcher, knowledge_base_object)
plugin = windows.WindowsProgramFilesPath()
plugin.Run(self._searcher, knowledge_base_object)
path = knowledge_base_object.GetValue('programfiles')
self.assertEqual(path, u'Program Files')
def testGetEnvironmentVariables(self):
"""Tests the GetEnvironmentVariables function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='SystemRoot', value='C:\\Windows')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
environment_variable = artifacts.EnvironmentVariableArtifact(
case_sensitive=False, name='WinDir', value='C:\\Windows')
knowledge_base_object.AddEnvironmentVariable(environment_variable)
environment_variables = knowledge_base_object.GetEnvironmentVariables()
self.assertEqual(len(environment_variables), 2)
def __init__(self):
"""Initializes an engine."""
super(BaseEngine, self).__init__()
self._abort = False
self._guppy_memory_profiler = None
self._memory_profiler = None
self._name = 'Main'
self._processing_status = processing_status.ProcessingStatus()
self._processing_profiler = None
self._serializers_profiler = None
self._storage_profiler = None
self._task_queue_profiler = None
self.knowledge_base = knowledge_base.KnowledgeBase()
def testGetValue(self):
"""Tests the GetValue function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
# The plug-in needs to expand {sysregistry} so we need to run
# the WindowsSystemRegistryPath plug-in first.
plugin = windows.WindowsSystemRegistryPath()
plugin.Run(self._searcher, knowledge_base_object)
plugin = windows.WindowsVersion()
plugin.Run(self._searcher, knowledge_base_object)
osversion = knowledge_base_object.GetValue('osversion')
self.assertEqual(osversion, u'Windows 7 Ultimate')
def testAnalyzeFileObject(self):
"""Tests the _AnalyzeFileObject function."""
knowledge_base_values = {'year': 2016}
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
knowledge_base_object = knowledge_base.KnowledgeBase()
if knowledge_base_values:
for identifier, value in knowledge_base_values.items():
knowledge_base_object.SetValue(identifier, value)
resolver_context = context.Context()
mediator = parsers_mediator.ParserMediator(
storage_writer,
knowledge_base_object,
preferred_year=2016,
resolver_context=resolver_context)
extraction_worker = worker.EventExtractionWorker()
test_analyzer = analyzers_manager_test.TestAnalyzer()
self.assertEqual(len(test_analyzer.GetResults()), 0)
extraction_worker._analyzers = [test_analyzer]
storage_writer.Open()
storage_writer.WriteSessionStart()
file_entry = self._GetTestFileEntry(['ímynd.dd'])
mediator.SetFileEntry(file_entry)
file_object = file_entry.GetFileObject()
display_name = mediator.GetDisplayName()
event_data_stream = events.EventDataStream()
try:
extraction_worker._AnalyzeFileObject(file_object, display_name,
event_data_stream)
finally:
file_object.close()
storage_writer.WriteSessionCompletion()
storage_writer.Close()
self.assertIsNotNone(event_data_stream)
event_attribute = getattr(event_data_stream, 'test_result', None)
self.assertEqual(event_attribute, 'is_vegetable')
def testGetValue(self):
"""Tests the GetValue function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
plugin = linux.LinuxUsernames()
plugin.Run(self._searcher, knowledge_base_object)
users = knowledge_base_object.GetValue('users')
self.assertEqual(len(users), 13)
self.assertEqual(users[11].get('uid', None), u'14')
self.assertEqual(users[11].get('gid', None), u'50')
self.assertEqual(users[11].get('name', None), u'ftp')
self.assertEqual(users[11].get('path', None), u'/var/ftp')
self.assertEqual(users[11].get('shell', None), u'/sbin/nologin')
def testGetSetValue(self):
"""Tests the GetValue and SetValue functions."""
knowledge_base_object = knowledge_base.KnowledgeBase()
expected_value = u'test value'
knowledge_base_object.SetValue(u'Test', expected_value)
value = knowledge_base_object.GetValue(u'Test')
self.assertEqual(value, expected_value)
value = knowledge_base_object.GetValue(u'tEsT')
self.assertEqual(value, expected_value)
value = knowledge_base_object.GetValue(u'Bogus')
self.assertEqual(value, None)
def testCheckKeyCompatibility(self):
"""Tests the CheckKeyCompatibility function"""
knowledge_base = knowledge_base_engine.KnowledgeBase()
test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper(
[], knowledge_base)
# Compatible Key.
key_path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control'
compatible_key = test_filter_file.CheckKeyCompatibility(key_path)
self.assertTrue(compatible_key)
# NOT a Compatible Key.
key_path = 'HKEY_USERS\\S-1-5-18'
compatible_key = test_filter_file.CheckKeyCompatibility(key_path)
self.assertFalse(compatible_key)
def _CreateOutputMediator(self, dynamic_time=True):
"""Creates a test output mediator.
Args:
dynamic_time (Optional[bool]): True if date and time values should be
represented in their granularity or semantically.
Returns:
OutputMediator: output mediator.
"""
knowledge_base_object = knowledge_base.KnowledgeBase()
return mediator.OutputMediator(
knowledge_base_object, data_location=shared_test_lib.TEST_DATA_PATH,
dynamic_time=dynamic_time)
def testAnalyzeDataStream(self):
"""Tests the _AnalyzeDataStream function."""
knowledge_base_values = {'year': 2016}
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
knowledge_base_object = knowledge_base.KnowledgeBase()
if knowledge_base_values:
for identifier, value in knowledge_base_values.items():
knowledge_base_object.SetValue(identifier, value)
resolver_context = context.Context()
parser_mediator = parsers_mediator.ParserMediator(
knowledge_base_object, resolver_context=resolver_context)
parser_mediator.SetPreferredYear(2016)
parser_mediator.SetStorageWriter(storage_writer)
extraction_worker = worker.EventExtractionWorker()
test_analyzer = analyzers_manager_test.TestAnalyzer()
self.assertEqual(len(test_analyzer.GetResults()), 0)
extraction_worker._analyzers = [test_analyzer]
storage_writer.Open()
session_start = session.CreateSessionStart()
storage_writer.AddAttributeContainer(session_start)
file_entry = self._GetTestFileEntry(['syslog.tgz'])
parser_mediator.SetFileEntry(file_entry)
display_name = parser_mediator.GetDisplayName()
event_data_stream = events.EventDataStream()
extraction_worker._AnalyzeDataStream(file_entry, '', display_name,
event_data_stream)
session_completion = session.CreateSessionCompletion()
storage_writer.AddAttributeContainer(session_completion)
storage_writer.Close()
self.assertIsNotNone(event_data_stream)
event_attribute = getattr(event_data_stream, 'test_result', None)
self.assertEqual(event_attribute, 'is_vegetable')
def _TagEvent(self, event, event_data, event_data_stream):
"""Tags an event.
Args:
event (Event): event.
event_data (EventData): event data.
event_data_stream (EventDataStream): event data stream.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the tag file does not exist.
"""
tag_file_path = self._GetDataFilePath([self._TAG_FILE])
self._SkipIfPathNotExists(tag_file_path)
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
if event_data_stream:
storage_writer.AddAttributeContainer(event_data_stream)
event_data_stream_identifier = event_data_stream.GetIdentifier()
event_data.SetEventDataStreamIdentifier(
event_data_stream_identifier)
storage_writer.AddAttributeContainer(event_data)
event_data_identifier = event_data.GetIdentifier()
event.SetEventDataIdentifier(event_data_identifier)
storage_writer.AddAttributeContainer(event)
knowledge_base_object = knowledge_base.KnowledgeBase()
mediator = analysis_mediator.AnalysisMediator(session,
knowledge_base_object)
mediator.SetStorageWriter(storage_writer)
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(tag_file_path)
plugin.ExamineEvent(mediator, event, event_data, event_data_stream)
analysis_report = plugin.CompileReport(mediator)
storage_writer.AddAttributeContainer(analysis_report)
return storage_writer
def _SetUpKnowledgeBase(self, knowledge_base_values=None):
"""Sets up a knowledge base.
Args:
knowledge_base_values: optional dict containing the knowledge base
values. The default is None.
Returns:
An knowledge base object (instance of KnowledgeBase).
"""
knowledge_base_object = knowledge_base.KnowledgeBase()
if knowledge_base_values:
for identifier, value in knowledge_base_values.iteritems():
knowledge_base_object.SetValue(identifier, value)
return knowledge_base_object
def __init__(self):
"""Initializes the front-end object."""
super(PsortFrontend, self).__init__()
self._abort = False
self._debug_mode = False
self._enable_profiling = False
# Instance of EventObjectFilter.
self._event_filter = None
self._event_filter_expression = None
self._knowledge_base = knowledge_base.KnowledgeBase()
self._preferred_language = u'en-US'
self._profiling_directory = None
self._profiling_sample_rate = self._DEFAULT_PROFILING_SAMPLE_RATE
self._profiling_type = u'all'
self._quiet_mode = False
self._use_zeromq = True
def testInternalExportEvents(self):
"""Tests the _ExportEvents function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
output_writer = cli_test_lib.TestOutputWriter()
formatter_mediator = formatters_mediator.FormatterMediator()
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = TestOutputModule(output_mediator_object)
output_module.SetOutputWriter(output_writer)
test_engine = psort.PsortMultiProcessEngine()
formatters_manager.FormattersManager.RegisterFormatter(
TestEventFormatter)
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
self._CreateTestStorageFile(temp_file)
storage_reader = storage_zip_file.ZIPStorageFileReader(temp_file)
storage_reader.ReadPreprocessingInformation(knowledge_base_object)
event_buffer = TestEventBuffer(output_module, check_dedups=False)
test_engine._ExportEvents(storage_reader, event_buffer)
event_buffer.Flush()
formatters_manager.FormattersManager.DeregisterFormatter(
TestEventFormatter)
lines = []
output = output_writer.ReadOutput()
for line in output.split(b'\n'):
lines.append(line)
self.assertEqual(len(lines), 8)
self.assertTrue(b'My text goes along: My text dude. lines' in lines[2])
self.assertTrue(b'LOG/' in lines[2])
self.assertTrue(b'None in Particular' in lines[2])
self.assertEqual(lines[0], (
b'date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,'
b'version,filename,inode,notes,format,extra'))
def testInternalAnalyzeEvents(self):
"""Tests the _AnalyzeEvents function."""
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
test_engine = psort.PsortMultiProcessEngine()
test_plugin = TestAnalysisPlugin()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
self._CreateTestStorageFile(temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
storage_writer.StartTaskStorage()
storage_writer.Open()
storage_writer.ReadPreprocessingInformation(knowledge_base_object)
# TODO: implement, this currently loops infinite.
# test_engine._AnalyzeEvents(storage_writer, [test_plugin])
storage_writer.Close()
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, u'storage.plaso')
self._CreateTestStorageFile(temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
storage_writer.StartTaskStorage()
storage_writer.Open()
storage_writer.ReadPreprocessingInformation(knowledge_base_object)
# TODO: implement, this currently loops infinite.
_ = test_engine
_ = test_plugin
_ = test_filter
# test_engine._AnalyzeEvents(
# storage_writer, [test_plugin], event_filter=test_filter)
storage_writer.Close()
