def GetMessages(self, formatter_mediator, event_data): """Determines the formatted message strings for the event data. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event_data (EventData): event data. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event data cannot be formatted by the formatter. """ if self.DATA_TYPE != event_data.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event_data.data_type)) event_values = event_data.CopyToDict() file_reference = event_values.get('file_reference', None) if file_reference: event_values['file_reference'] = '{0:d}-{1:d}'.format( file_reference & 0xffffffffffff, file_reference >> 48) parent_file_reference = event_values.get('parent_file_reference', None) if parent_file_reference: event_values['parent_file_reference'] = '{0:d}-{1:d}'.format( parent_file_reference & 0xffffffffffff, parent_file_reference >> 48) update_reason_flags = event_values.get('update_reason_flags', 0) update_reasons = [] for bitmask, description in sorted(self._USN_REASON_FLAGS.items()): if bitmask & update_reason_flags: update_reasons.append(description) event_values['update_reason'] = ', '.join(update_reasons) update_source_flags = event_values.get('update_source_flags', 0) update_sources = [] for bitmask, description in sorted(self._USN_SOURCE_FLAGS.items()): if bitmask & update_source_flags: update_sources.append(description) event_values['update_source'] = ', '.join(update_sources) return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) event_values = event_object.GetValues() event_type = event_values.get(u'event_type', None) if event_type is not None: event_values[u'event_type'] = self.GetEventTypeString(event_type) # TODO: add string representation of facility. severity = event_values.get(u'severity', None) if severity is not None: event_values[u'severity'] = self.GetSeverityString(severity) source_name = event_values.get(u'source_name', None) message_identifier = event_values.get(u'message_identifier', None) strings = event_values.get(u'strings', []) if source_name and message_identifier: message_string = formatter_mediator.GetWindowsEventMessage( source_name, message_identifier) if message_string: event_values[u'message_string'] = message_string.format( *strings) message_strings = [] for string in strings: message_strings.append(u'\'{0:s}\''.format(string)) message_string = u', '.join(message_strings) event_values[u'strings'] = u'[{0:s}]'.format(message_string) return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event): """Determines the formatted message strings for an event object. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event (EventObject): event. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event.data_type)) event_values = event.CopyToDict() primary_url = event_values['primary_url'] secondary_url = event_values['secondary_url'] # There is apparently a bug, either in GURL.cc or # content_settings_pattern.cc where URLs with file:// scheme are stored in # the URL as an empty string, which is later detected as being Invalid, and # Chrome produces the following example logs: # content_settings_pref.cc(469)] Invalid pattern strings: https://a.com:443, # content_settings_pref.cc(295)] Invalid pattern strings: , # content_settings_pref.cc(295)] Invalid pattern strings: ,* # More research needed, could be related to https://crbug.com/132659 if primary_url == '': subject = 'local file' elif primary_url == secondary_url or secondary_url == '*': subject = primary_url elif secondary_url == '': subject = '{0:s} embedded in local file'.format(primary_url) else: subject = '{0:s} embedded in {1:s}'.format(primary_url, secondary_url) event_values['subject'] = subject return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format( event_object.data_type)) event_values = event_object.GetValues() file_reference = event_values.get(u'file_reference', None) if file_reference: event_values[u'file_reference'] = u'{0:d}-{1:d}'.format( file_reference & 0xffffffffffff, file_reference >> 48) parent_file_reference = event_values.get(u'parent_file_reference', None) if parent_file_reference: event_values[u'parent_file_reference'] = u'{0:d}-{1:d}'.format( parent_file_reference & 0xffffffffffff, parent_file_reference >> 48) update_reason_flags = event_values.get(u'update_reason_flags', 0) update_reasons = [] for bitmask, description in sorted(self._USN_REASON_FLAGS.items()): if bitmask & update_reason_flags: update_reasons.append(description) event_values[u'update_reason'] = u', '.join(update_reasons) update_source_flags = event_values.get(u'update_source_flags', 0) update_sources = [] for bitmask, description in sorted(self._USN_SOURCE_FLAGS.items()): if bitmask & update_source_flags: update_sources.append(description) event_values[u'update_source'] = u', '.join(update_sources) return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event): """Determines the formatted message strings for an event object. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event (EventObject): event. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format(event.data_type)) event_values = event.CopyToDict() event = event_values.get(u'event', None) if event: event_values[u'event_map'] = self.EVENT_NAMES.get( event, u'Unknown') category = event_values.get(u'cat', None) if category: event_values[u'category_map'] = self.CATEGORY_NAMES.get( category, u'Unknown') action = event_values.get(u'action0', None) if action: event_values[u'action0_map'] = self.ACTION_0_NAMES.get( action, u'Unknown') action = event_values.get(u'action1', None) if action: event_values[u'action1_map'] = self.ACTION_1_2_NAMES.get( action, u'Unknown') action = event_values.get(u'action2', None) if action: event_values[u'action2_map'] = self.ACTION_1_2_NAMES.get( action, u'Unknown') return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event): """Determines the formatted message strings for an event object. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event (EventObject): event. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter( u'Invalid event object - unsupported data type: {0:s}'.format( event.data_type)) event_values = event.CopyToDict() number_of_volumes = event_values.get(u'number_of_volumes', 0) volume_serial_numbers = event_values.get(u'volume_serial_numbers', None) volume_device_paths = event_values.get(u'volume_device_paths', None) volumes_strings = [] for volume_index in range(0, number_of_volumes): if not volume_serial_numbers: volume_serial_number = u'UNKNOWN' else: volume_serial_number = volume_serial_numbers[volume_index] if not volume_device_paths: volume_device_path = u'UNKNOWN' else: volume_device_path = volume_device_paths[volume_index] volumes_strings.append( (u'volume: {0:d} [serial number: 0x{1:08X}, device path: ' u'{2:s}]').format(volume_index + 1, volume_serial_number, volume_device_path)) if volumes_strings: event_values[u'volumes_string'] = u', '.join(volumes_strings) return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) event_values = event_object.GetValues() event = event_values.get(u'event', None) if event: event_values[u'event_map'] = self.EVENT_NAMES.get( event, u'Unknown') category = event_values.get(u'cat', None) if category: event_values[u'category_map'] = self.CATEGORY_NAMES.get( category, u'Unknown') action = event_values.get(u'action0', None) if action: event_values[u'action0_map'] = self.ACTION_0_NAMES.get( action, u'Unknown') action = event_values.get(u'action1', None) if action: event_values[u'action1_map'] = self.ACTION_1_2_NAMES.get( action, u'Unknown') action = event_values.get(u'action2', None) if action: event_values[u'action2_map'] = self.ACTION_1_2_NAMES.get( action, u'Unknown') return self._ConditionalFormatMessages(event_values)
def GetSources(self, event): """Determines the the short and long source for an event object. Args: event (EventObject): event. Returns: tuple(str, str): short and long source string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event.data_type)) return self.SOURCE_SHORT, self.SOURCE_LONG
def GetMessages(self, unused_formatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Invalid event object - unsupported data type: {0:s}'.format( event_object.data_type)) event_values = event_object.CopyToDict() number_of_volumes = event_values.get(u'number_of_volumes', 0) volume_serial_numbers = event_values.get(u'volume_serial_numbers', None) volume_device_paths = event_values.get(u'volume_device_paths', None) volumes_strings = [] for volume_index in range(0, number_of_volumes): if not volume_serial_numbers: volume_serial_number = u'UNKNOWN' else: volume_serial_number = volume_serial_numbers[volume_index] if not volume_device_paths: volume_device_path = u'UNKNOWN' else: volume_device_path = volume_device_paths[volume_index] volumes_strings.append( (u'volume: {0:d} [serial number: 0x{1:08X}, device path: ' u'{2:s}]').format(volume_index + 1, volume_serial_number, volume_device_path)) if volumes_strings: event_values[u'volumes_string'] = u', '.join(volumes_strings) return self._ConditionalFormatMessages(event_values)
def GetSources(self, event_object): """Returns a list of source short and long messages for the event.""" if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) self.source_string = getattr(event_object, 'source_long', None) if not self.source_string: registry_type = getattr(event_object, 'registry_type', 'UNKNOWN') self.source_string = u'{0:s} key'.format(registry_type) if hasattr(event_object, 'source_append'): self.source_string += u' {0:s}'.format(event_object.source_append) return super(WinRegistryGenericFormatter, self).GetSources(event_object)
def GetMessages(self, event_object): """Returns a list of messages extracted from an event object. Args: event_object: The event object (EventObject) containing the event specific data. Returns: A list that contains both the longer and shorter version of the message string. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter(u'Unsupported data type: {:s}.'.format( event_object.data_type)) # Using getattr here to make sure the attribute is not set to None. # if A.b = None, hasattr(A, b) is True but getattr(A, b, None) is False. string_pieces = [] for map_index, attribute_name in enumerate( self._format_string_pieces_map): if not attribute_name or hasattr(event_object, attribute_name): if attribute_name: attribute = getattr(event_object, attribute_name, None) # If an attribute is an int, yet has zero value we want to include # that in the format string, since that is still potentially valid # information. Otherwise we would like to skip it. if type(attribute) not in (bool, int, long, float) and not attribute: continue string_pieces.append(self.FORMAT_STRING_PIECES[map_index]) self.format_string = unicode( self.FORMAT_STRING_SEPARATOR.join(string_pieces)) string_pieces = [] for map_index, attribute_name in enumerate( self._format_string_short_pieces_map): if not attribute_name or getattr(event_object, attribute_name, None): string_pieces.append( self.FORMAT_STRING_SHORT_PIECES[map_index]) self.format_string_short = unicode( self.FORMAT_STRING_SEPARATOR.join(string_pieces)) return super(ConditionalEventFormatter, self).GetMessages(event_object)
def GetMessages(self, formatter_mediator, event_data): """Determines the formatted message strings for the event data. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event_data (EventData): event data. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event data cannot be formatted by the formatter. """ if self.DATA_TYPE != event_data.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event_data.data_type)) event_values = event_data.CopyToDict() attribute_type = event_values.get('attribute_type', 0) event_values['attribute_name'] = self._ATTRIBUTE_NAMES.get( attribute_type, 'UNKNOWN') file_reference = event_values.get('file_reference', None) if file_reference: event_values['file_reference'] = '{0:d}-{1:d}'.format( file_reference & 0xffffffffffff, file_reference >> 48) parent_file_reference = event_values.get('parent_file_reference', None) if parent_file_reference: event_values['parent_file_reference'] = '{0:d}-{1:d}'.format( parent_file_reference & 0xffffffffffff, parent_file_reference >> 48) if not event_values.get('is_allocated', False): event_values['unallocated'] = 'unallocated' path_hints = event_values.get('path_hints', []) if path_hints: event_values['path_hints'] = ';'.join(path_hints) return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event): """Determines the formatted message strings for an event object. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event (EventObject): event. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event.data_type)) event_values = event.CopyToDict() source_name = event_values.get('source_name', None) message_identifier = event_values.get('message_identifier', None) strings = event_values.get('strings', []) if source_name and message_identifier: message_string = formatter_mediator.GetWindowsEventMessage( source_name, message_identifier) if message_string: try: event_values['message_string'] = message_string.format( *strings) except IndexError: pass message_strings = [] for string in strings: if string: message_strings.append('\'{0:s}\''.format(string)) message_string = ', '.join(message_strings) event_values['strings'] = '[{0:s}]'.format(message_string) return self._ConditionalFormatMessages(event_values)
def GetMessages(self, event_object): """Returns a list of messages extracted from an event object. Args: event_object: The event object (EventObject) containing the event specific data. Returns: A list that contains both the longer and shorter version of the message string. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) if not getattr(event_object, 'allocated', True): event_object.unallocated = u'unallocated' return super(PfileStatFormatter, self).GetMessages(event_object)
def GetMessages(self, unused_ormatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format( event_object.data_type)) event_values = event_object.CopyToDict() return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) event_values = event_object.CopyToDict() attribute_type = event_values.get(u'attribute_type', 0) event_values[u'attribute_name'] = self._ATTRIBUTE_NAMES.get( attribute_type, u'UNKNOWN') file_reference = event_values.get(u'file_reference', None) if file_reference: event_values[u'file_reference'] = u'{0:d}-{1:d}'.format( file_reference & 0xffffffffffff, file_reference >> 48) parent_file_reference = event_values.get(u'parent_file_reference', None) if parent_file_reference: event_values[u'parent_file_reference'] = u'{0:d}-{1:d}'.format( parent_file_reference & 0xffffffffffff, parent_file_reference >> 48) if not event_values.get(u'is_allocated', False): event_values[u'unallocated'] = u'unallocated' return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_data): """Determines the formatted message strings for the event data. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event_data (EventData): event data. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event data cannot be formatted by the formatter. """ if self.DATA_TYPE != event_data.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event_data.data_type)) event_values = event_data.CopyToDict() values = event_values.get('values', None) if values is None: # TODO: remove regvalue, which is kept for backwards compatibility. regvalue = event_values.get('regvalue', {}) string_parts = [] for key, value in sorted(regvalue.items()): string_parts.append('{0:s}: {1!s}'.format(key, value)) values = ' '.join(string_parts) event_values['values'] = values if not values: event_values['values'] = '(empty)' if 'key_path' in event_values: format_string = self.FORMAT_STRING else: format_string = self.FORMAT_STRING_ALTERNATIVE return self._FormatMessages( format_string, self.FORMAT_STRING_SHORT, event_values)
def GetMessages(self, formatter_mediator, event_data): """Determines the formatted message strings for the event data. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event_data (EventData): event data. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event data cannot be formatted by the formatter. """ if self.DATA_TYPE != event_data.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event_data.data_type)) event_values = event_data.CopyToDict() error_control = event_values.get('error_control', None) if error_control is not None: error_control = ( human_readable_service_enums.SERVICE_ENUMS['ErrorControl'].get( error_control, error_control)) event_values['error_control'] = error_control service_type = event_values.get('service_type', None) if service_type is not None: service_type = human_readable_service_enums.SERVICE_ENUMS[ 'Type'].get(service_type, service_type) event_values['service_type'] = service_type start_type = event_values.get('start_type', None) if start_type is not None: start_type = human_readable_service_enums.SERVICE_ENUMS[ 'Start'].get(start_type, start_type) event_values['start_type'] = start_type return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event): """Determines the formatted message strings for an event object. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event (EventObject): event. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event.data_type)) event_values = event.CopyToDict() return self._ConditionalFormatMessages(event_values)
def GetMessages(self, event_object): """Return the message strings.""" if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) transition = self._URL_TRANSITIONS.get( getattr(event_object, 'visit_type', 0), None) if transition: transition_str = u'Transition: {0!s}'.format(transition) if hasattr(event_object, 'extra'): if transition: event_object.extra.append(transition_str) event_object.extra_string = u' '.join(event_object.extra) elif transition: event_object.extra_string = transition_str return super(FirefoxPageVisitFormatter, self).GetMessages(event_object)
def GetSources(self, event): """Determines the the short and long source for an event object. Args: event (EventObject): event. Returns: tuple(str, str): short and long source string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event.data_type)) file_system_type = getattr(event, 'file_system_type', 'UNKNOWN') timestamp_desc = getattr(event, 'timestamp_desc', 'Time') source_long = '{0:s} {1:s}'.format(file_system_type, timestamp_desc) return self.SOURCE_SHORT, source_long
def GetMessages(self, event_object): """Returns a list of messages extracted from an event object. Args: event_object: The event object (EventObject) containing the event specific data. Returns: A list that contains both the longer and shorter version of the message string. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) # Update event object with the event type string. event_object.event_type_string = self.GetEventTypeString( event_object.event_type) return super(WinEvtFormatter, self).GetMessages(event_object)
def GetSources(self, event_object): """Determines the the short and long source for an event object. Args: event_object: the event object (instance of EventObject). Returns: A tuple of the short and long source string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event_object.data_type)) fs_type = getattr(event_object, u'fs_type', u'Unknown FS') timestamp_desc = getattr(event_object, u'timestamp_desc', u'Time') source_long = u'{0:s} {1:s}'.format(fs_type, timestamp_desc) return self.SOURCE_SHORT, source_long
def GetMessages(self, event_object): """Format the message string.""" if event_object.data_type != self.DATA_TYPE: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) # TODO: Move this to a more generic GA cookie formatter once # more cookie parsers are implemented, since this should be a # shared code. # Create a separate cookie formatter that will handle them in a # generic sense and have this ineherit from that. ga_cookie = getattr(event_object, 'cookie_name', 'N/A') ga_data = [] if ga_cookie == '__utmz': ga_data.append(u'Sessions: {}'.format( getattr(event_object, 'sessions', 0))) ga_data.append(u'Domain Hash: {}'.format( getattr(event_object, 'domain_hash', 'N/A'))) ga_data.append(u'Sources: {}'.format( getattr(event_object, 'sources', 0))) ga_data.append(u'Variables: {}'.format(u' '.join( getattr(event_object, 'extra', [])))) elif ga_cookie == '__utmb': ga_data.append(u'Pages Viewed: {}'.format( getattr(event_object, 'pages_viewed', 0))) ga_data.append(u'Domain Hash: {}'.format( getattr(event_object, 'domain_hash', 'N/A'))) elif ga_cookie == '__utma': ga_data.append(u'Sessions: {}'.format( getattr(event_object, 'sessions', 0))) ga_data.append(u'Domain Hash: {}'.format( getattr(event_object, 'domain_hash', 'N/A'))) ga_data.append(u'Visitor ID: {}'.format( getattr(event_object, 'domain_hash', 'N/A'))) if ga_data: event_object.ga_data = u' - '.join(ga_data) return super(ChromeCookieFormatter, self).GetMessages(event_object)
def GetMessages(self, unused_formatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) event_values = event_object.CopyToDict() http_headers = event_values.get(u'http_headers', None) if http_headers: event_values[u'http_headers'] = http_headers.replace( u'\r\n', u' - ') if event_values.get(u'recovered', None): event_values[u'recovered_string'] = u'[Recovered Entry]' cached_file_path = event_values.get(u'cached_filename', None) if cached_file_path: cache_directory_name = event_values.get(u'cache_directory_name', None) if cache_directory_name: cached_file_path = u'\\'.join( [cache_directory_name, cached_file_path]) event_values[u'cached_file_path'] = cached_file_path return self._ConditionalFormatMessages(event_values)
def GetMessages(self, unused_formatter_mediator, event): """Determines the formatted message strings for an event object. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event (EventObject): event. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format(event.data_type)) event_values = event.CopyToDict() http_headers = event_values.get(u'http_headers', None) if http_headers: event_values[u'http_headers'] = http_headers.replace( u'\r\n', u' - ') if event_values.get(u'recovered', None): event_values[u'recovered_string'] = u'[Recovered Entry]' cached_file_path = event_values.get(u'cached_filename', None) if cached_file_path: cache_directory_name = event_values.get(u'cache_directory_name', None) if cache_directory_name: cached_file_path = u'\\'.join( [cache_directory_name, cached_file_path]) event_values[u'cached_file_path'] = cached_file_path return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_data): """Determines the formatted message strings for the event data. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event_data (EventData): event data. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event data cannot be formatted by the formatter. """ if self.DATA_TYPE != event_data.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event_data.data_type)) event_values = event_data.CopyToDict() priority_level = event_values.get('level', None) if isinstance(priority_level, int): event_values['level'] = '{0:s} ({1:d})'.format( self._PRIORITY_LEVELS.get(priority_level, 'UNKNOWN'), priority_level) # If no rights are assigned the value is 0xffffffff (-1). read_uid = event_values.get('read_uid', None) if read_uid == -1: event_values['read_uid'] = 'ALL' # If no rights are assigned the value is 0xffffffff (-1). read_gid = event_values.get('read_gid', None) if read_gid == -1: event_values['read_gid'] = 'ALL' # TODO: get the real name for the user of the group having the uid or gid. return self._ConditionalFormatMessages(event_values)
def GetMessages(self, formatter_mediator, event_data): """Determines the formatted message strings for the event data. Args: formatter_mediator (FormatterMediator): mediates the interactions between formatters and other components, such as storage and Windows EventLog resources. event_data (EventData): event data. Returns: tuple(str, str): formatted message string and short message string. Raises: WrongFormatter: if the event data cannot be formatted by the formatter. """ if self.DATA_TYPE != event_data.data_type: raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format( event_data.data_type)) event_values = event_data.CopyToDict() return self._FormatMessages(self.FORMAT_STRING, self.FORMAT_STRING_SHORT, event_values)
def GetMessages(self, unused_formatter_mediator, event_object): """Determines the formatted message strings for an event object. Args: formatter_mediator: the formatter mediator object (instance of FormatterMediator). event_object: the event object (instance of EventObject). Returns: A tuple containing the formatted message string and short message string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event_object.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format( event_object.data_type)) event_values = event_object.CopyToDict() priority_level = event_values.get(u'level', None) if isinstance(priority_level, py2to3.INTEGER_TYPES): event_values[u'level'] = u'{0:s} ({1:d})'.format( self._PRIORITY_LEVELS.get(priority_level, u'UNKNOWN'), priority_level) # If no rights are assigned the value is 0xffffffff (-1). read_uid = event_values.get(u'read_uid', None) if read_uid == 0xffffffff: event_values[u'read_uid'] = u'ALL' # If no rights are assigned the value is 0xffffffff (-1). read_gid = event_values.get(u'read_gid', None) if read_gid == 0xffffffff: event_values[u'read_gid'] = u'ALL' # TODO: get the real name for the user of the group having the uid or gid. return self._ConditionalFormatMessages(event_values)
def GetSources(self, event): """Determines the the short and long source for an event object. Args: event (EventObject): event. Returns: tuple(str, str): short and long source string. Raises: WrongFormatter: if the event object cannot be formatted by the formatter. """ if self.DATA_TYPE != event.data_type: raise errors.WrongFormatter( u'Unsupported data type: {0:s}.'.format(event.data_type)) source_long = getattr(event, u'source_long', u'UNKNOWN') source_append = getattr(event, u'source_append', None) if source_append: source_long = u'{0:s} {1:s}'.format(source_long, source_append) return self.SOURCE_SHORT, source_long