OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Parser for Windows XML EventLog (EVTX) files.""" | 2 """Parser for Windows XML EventLog (EVTX) files.""" |
3 | 3 |
4 from collections import namedtuple | 4 from collections import namedtuple |
| 5 |
5 import pyevtx | 6 import pyevtx |
6 | 7 |
7 from dfdatetime import filetime as dfdatetime_filetime | 8 from dfdatetime import filetime as dfdatetime_filetime |
8 from dfdatetime import semantic_time as dfdatetime_semantic_time | 9 from dfdatetime import semantic_time as dfdatetime_semantic_time |
9 | 10 |
10 from plaso import dependencies | |
11 from plaso.containers import events | 11 from plaso.containers import events |
12 from plaso.containers import time_events | 12 from plaso.containers import time_events |
13 from plaso.lib import eventdata | 13 from plaso.lib import eventdata |
14 from plaso.lib import specification | 14 from plaso.lib import specification |
15 from plaso.parsers import interface | 15 from plaso.parsers import interface |
16 from plaso.parsers import manager | 16 from plaso.parsers import manager |
17 | 17 |
18 | 18 |
19 dependencies.CheckModuleVersion(u'pyevtx') | |
20 | |
21 | |
22 class WinEvtxRecordEventData(events.EventData): | 19 class WinEvtxRecordEventData(events.EventData): |
23 """Windows XML EventLog (EVTX) record event data. | 20 """Windows XML EventLog (EVTX) record event data. |
24 | 21 |
25 Attributes: | 22 Attributes: |
26 computer_name (str): computer name stored in the event record. | 23 computer_name (str): computer name stored in the event record. |
27 event_identifier (int): event identifier. | 24 event_identifier (int): event identifier. |
28 event_level (int): event level. | 25 event_level (int): event level. |
29 message_identifier (int): event message identifier. | 26 message_identifier (int): event message identifier. |
30 record_number (int): event record number. | 27 record_number (int): event record number. |
31 recovered (bool): True if the record was recovered. | 28 recovered (bool): True if the record was recovered. |
(...skipping 223 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
255 u'unable to open file with error: {0:s}'.format(exception)) | 252 u'unable to open file with error: {0:s}'.format(exception)) |
256 return | 253 return |
257 | 254 |
258 try: | 255 try: |
259 self._ParseRecords(parser_mediator, evtx_file) | 256 self._ParseRecords(parser_mediator, evtx_file) |
260 finally: | 257 finally: |
261 evtx_file.close() | 258 evtx_file.close() |
262 | 259 |
263 | 260 |
264 manager.ParsersManager.RegisterParser(WinEvtxParser) | 261 manager.ParsersManager.RegisterParser(WinEvtxParser) |
OLD | NEW |