OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Event attribute containers.""" | 2 """Event attribute containers.""" |
3 | 3 |
4 import re | 4 import re |
5 | 5 |
6 from plaso.containers import interface | 6 from plaso.containers import interface |
7 from plaso.containers import manager | 7 from plaso.containers import manager |
8 from plaso.lib import py2to3 | 8 from plaso.lib import py2to3 |
9 | 9 |
10 | 10 |
(...skipping 13 matching lines...) Expand all Loading... |
24 | 24 |
25 Args: | 25 Args: |
26 data_type (Optional[str]): event data type indicator. | 26 data_type (Optional[str]): event data type indicator. |
27 """ | 27 """ |
28 super(EventData, self).__init__() | 28 super(EventData, self).__init__() |
29 self.data_type = data_type | 29 self.data_type = data_type |
30 self.offset = None | 30 self.offset = None |
31 self.query = None | 31 self.query = None |
32 | 32 |
33 | 33 |
34 # TODO: split event into source and event components. | |
35 # https://github.com/log2timeline/plaso/wiki/Scribbles-about-events | |
36 | |
37 class EventObject(interface.AttributeContainer): | 34 class EventObject(interface.AttributeContainer): |
38 """Event attribute container. | 35 """Event attribute container. |
39 | 36 |
40 The framework is designed to parse files and create events | 37 The framework is designed to parse files and create events |
41 from individual records, log lines or keys extracted from files. | 38 from individual records, log lines or keys extracted from files. |
42 The event object provides an extensible data storage for event | 39 The event object provides an extensible data storage for event |
43 attributes. | 40 attributes. |
44 | 41 |
45 Attributes: | 42 Attributes: |
46 data_type (str): event data type indicator. | 43 data_type (str): event data type indicator. |
47 display_name (str): display friendly version of the path specification. | 44 display_name (str): display friendly version of the path specification. |
48 filename (str): name of the file related to the event. | 45 filename (str): name of the file related to the event. |
49 hostname (str): name of the host related to the event. | 46 hostname (str): name of the host related to the event. |
50 inode (int): inode of the file related to the event. | 47 inode (int): inode of the file related to the event. |
51 offset (int): offset of the event data. | 48 offset (int): offset of the event data. |
52 pathspec (dfvfs.PathSpec): path specification of the file related to | 49 pathspec (dfvfs.PathSpec): path specification of the file related to |
53 the event. | 50 the event. |
54 tag (EventTag): event tag. | 51 tag (EventTag): event tag. |
55 timestamp (int): timestamp, which contains the number of microseconds | 52 timestamp (int): timestamp, which contains the number of microseconds |
56 since January 1, 1970, 00:00:00 UTC. | 53 since January 1, 1970, 00:00:00 UTC. |
57 """ | 54 """ |
58 CONTAINER_TYPE = u'event' | 55 CONTAINER_TYPE = u'event' |
59 # TODO: eventually move data type out of event since the event source | 56 # TODO: eventually move data type out of event since the event source |
60 # has a data type not the event itself. | 57 # has a data type not the event itself. |
61 DATA_TYPE = None | 58 DATA_TYPE = None |
62 | 59 |
63 def __init__(self): | 60 def __init__(self): |
64 """Initializes an event object.""" | 61 """Initializes an event attribute container.""" |
65 super(EventObject, self).__init__() | 62 super(EventObject, self).__init__() |
| 63 self._event_data_identifier = None |
66 self.data_type = self.DATA_TYPE | 64 self.data_type = self.DATA_TYPE |
67 self.display_name = None | 65 self.display_name = None |
68 self.filename = None | 66 self.filename = None |
69 self.hostname = None | 67 self.hostname = None |
70 self.inode = None | 68 self.inode = None |
71 self.offset = None | 69 self.offset = None |
72 self.pathspec = None | 70 self.pathspec = None |
73 self.tag = None | 71 self.tag = None |
74 self.timestamp = None | 72 self.timestamp = None |
75 | 73 |
| 74 def GetEventDataIdentifier(self): |
| 75 """Retrieves the identifier of the event data associated with the event. |
| 76 |
| 77 The event data identifier is a storage specific value that should not |
| 78 be serialized. |
| 79 |
| 80 Returns: |
| 81 AttributeContainerIdentifier: event identifier or None when not set. |
| 82 """ |
| 83 return self._event_data_identifier |
| 84 |
| 85 def SetEventDataIdentifier(self, event_data_identifier): |
| 86 """Sets the identifier of the event data associated with the event. |
| 87 |
| 88 The event data identifier is a storage specific value that should not |
| 89 be serialized. |
| 90 |
| 91 Args: |
| 92 event_data_identifier (AttributeContainerIdentifier): event identifier. |
| 93 """ |
| 94 self._event_data_identifier = event_data_identifier |
| 95 |
76 | 96 |
77 class EventTag(interface.AttributeContainer): | 97 class EventTag(interface.AttributeContainer): |
78 """Event tag attribute container. | 98 """Event tag attribute container. |
79 | 99 |
80 Attributes: | 100 Attributes: |
81 comment (str): comments. | 101 comment (str): comments. |
82 event_entry_index (int): serialized data stream entry index of the event, | 102 event_entry_index (int): serialized data stream entry index of the event, |
83 this attribute is used by the ZIP and GZIP storage files to | 103 this attribute is used by the ZIP and GZIP storage files to |
84 uniquely identify the event linked to the tag. | 104 uniquely identify the event linked to the tag. |
85 event_stream_number (int): number of the serialized event stream, this | 105 event_stream_number (int): number of the serialized event stream, this |
86 attribute is used by the ZIP and GZIP storage files to uniquely | 106 attribute is used by the ZIP and GZIP storage files to uniquely |
87 identify the event linked to the tag. | 107 identify the event linked to the tag. |
88 labels (list[str]): labels, such as "malware", "application_execution". | 108 labels (list[str]): labels, such as "malware", "application_execution". |
89 """ | 109 """ |
90 CONTAINER_TYPE = u'event_tag' | 110 CONTAINER_TYPE = u'event_tag' |
91 | 111 |
92 _INVALID_LABEL_CHARACTERS_REGEX = re.compile(r'[^A-Za-z0-9_]') | 112 _INVALID_LABEL_CHARACTERS_REGEX = re.compile(r'[^A-Za-z0-9_]') |
93 | 113 |
94 _VALID_LABEL_REGEX = re.compile(r'^[A-Za-z0-9_]+$') | 114 _VALID_LABEL_REGEX = re.compile(r'^[A-Za-z0-9_]+$') |
95 | 115 |
96 def __init__(self, comment=None): | 116 def __init__(self, comment=None): |
97 """Initializes an event tag. | 117 """Initializes an event tag attribute container. |
98 | 118 |
99 Args: | 119 Args: |
100 comment (Optional[str]): comments. | 120 comment (Optional[str]): comments. |
101 """ | 121 """ |
102 super(EventTag, self).__init__() | 122 super(EventTag, self).__init__() |
103 self._event_identifier = None | 123 self._event_identifier = None |
104 self.comment = comment | 124 self.comment = comment |
105 self.event_entry_index = None | 125 self.event_entry_index = None |
106 self.event_stream_number = None | 126 self.event_stream_number = None |
107 self.labels = [] | 127 self.labels = [] |
(...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
208 be serialized. | 228 be serialized. |
209 | 229 |
210 Args: | 230 Args: |
211 event_identifier (AttributeContainerIdentifier): event identifier. | 231 event_identifier (AttributeContainerIdentifier): event identifier. |
212 """ | 232 """ |
213 self._event_identifier = event_identifier | 233 self._event_identifier = event_identifier |
214 | 234 |
215 | 235 |
216 manager.AttributeContainersManager.RegisterAttributeContainers([ | 236 manager.AttributeContainersManager.RegisterAttributeContainers([ |
217 EventData, EventObject, EventTag]) | 237 EventData, EventObject, EventTag]) |
OLD | NEW |