Source code for plaso.formatters.winevt

# -*- coding: utf-8 -*-
"""Windows EventLog custom event formatter helpers."""

import re

from plaso.formatters import interface
from plaso.formatters import logger
from plaso.formatters import manager


[docs] class WindowsEventLogMessageFormatterHelper( interface.CustomEventFormatterHelper): """Windows EventLog message formatter helper.""" IDENTIFIER = 'windows_eventlog_message' _PARAMETER_REGEX = re.compile(r'^%%[1-9][0-9]*$')
[docs] def __init__(self): """Initialized a indows EventLog message formatter helper.""" super(WindowsEventLogMessageFormatterHelper, self).__init__() self._winevt_resources_helper = None
[docs] def FormatEventValues(self, output_mediator, event_values): """Formats event values using the helper. Args: output_mediator (OutputMediator): output mediator. event_values (dict[str, object]): event values. """ if not self._winevt_resources_helper: self._winevt_resources_helper = output_mediator.GetWinevtResourcesHelper() message_string = None provider_identifier = event_values.get('provider_identifier', None) source_name = event_values.get('source_name', None) message_identifier = event_values.get('message_identifier', None) event_version = event_values.get('event_version', None) if (provider_identifier or source_name) and message_identifier: message_string_template = self._winevt_resources_helper.GetMessageString( provider_identifier, source_name, message_identifier, event_version) if message_string_template: string_values = [] for string_value in event_values.get('strings', []): if string_value is None: string_value = '' elif self._PARAMETER_REGEX.match(string_value): try: parameter_identifier = int(string_value[2:], 10) parameter_string = ( self._winevt_resources_helper.GetParameterString( provider_identifier, source_name, parameter_identifier)) if parameter_string: string_value = parameter_string except ValueError: pass string_values.append(string_value) try: message_string = message_string_template.format(*string_values) except (IndexError, TypeError) as exception: provider_identifier = provider_identifier or '' strings = ', '.join(string_values) logger.error(( f'Unable to format message: 0x{message_identifier:08x} of ' f'provider: {provider_identifier:s} template: ' f'"{message_string_template:s}" and strings: "{strings:s}" ' f'with error: {exception!s}')) # Unable to create the message string. # TODO: consider returning the unformatted message string. event_values['message_string'] = message_string
manager.FormattersManager.RegisterEventFormatterHelper( WindowsEventLogMessageFormatterHelper)