OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """Output module for the log2timeline (L2T) CSV format. | 2 """Output module for the log2timeline (L2T) CSV format. |
3 | 3 |
4 For documentation on the L2T CSV format see: | 4 For documentation on the L2T CSV format see: |
5 http://forensicswiki.org/wiki/L2T_CSV | 5 http://forensicswiki.org/wiki/L2T_CSV |
6 """ | 6 """ |
7 | 7 |
| 8 import logging |
| 9 |
8 from plaso.lib import definitions | 10 from plaso.lib import definitions |
9 from plaso.lib import errors | 11 from plaso.lib import errors |
10 from plaso.lib import py2to3 | 12 from plaso.lib import py2to3 |
11 from plaso.lib import timelib | 13 from plaso.lib import timelib |
12 from plaso.output import interface | 14 from plaso.output import interface |
13 from plaso.output import manager | 15 from plaso.output import manager |
14 | 16 |
15 | 17 |
16 class L2TCSVOutputModule(interface.LinearOutputModule): | 18 class L2TCSVOutputModule(interface.LinearOutputModule): |
17 """CSV format used by log2timeline, with 17 fixed fields.""" | 19 """CSV format used by log2timeline, with 17 fixed fields.""" |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
54 | 56 |
55 Args: | 57 Args: |
56 event (EventObject): event. | 58 event (EventObject): event. |
57 | 59 |
58 Returns: | 60 Returns: |
59 str: formatted username field. | 61 str: formatted username field. |
60 """ | 62 """ |
61 username = self._output_mediator.GetUsername(event) | 63 username = self._output_mediator.GetUsername(event) |
62 return self._FormatField(username) | 64 return self._FormatField(username) |
63 | 65 |
64 def WriteEventBody(self, event): | 66 def _WriteOutputValues(self, output_values): |
65 """Writes the body of an event object to the output. | 67 """Writes values to the output. |
| 68 |
| 69 Args: |
| 70 output_values (list[str]): output values. |
| 71 """ |
| 72 for index, value in enumerate(output_values): |
| 73 if not isinstance(value, py2to3.STRING_TYPES): |
| 74 value = u'' |
| 75 output_values[index] = value.replace(u',', u' ') |
| 76 |
| 77 output_line = u','.join(output_values) |
| 78 output_line = u'{0:s}\n'.format(output_line) |
| 79 self._WriteLine(output_line) |
| 80 |
| 81 def _GetOutputValues(self, event): |
| 82 """Retrieves output values. |
66 | 83 |
67 Args: | 84 Args: |
68 event (EventObject): event. | 85 event (EventObject): event. |
69 | 86 |
| 87 Returns: |
| 88 list[str]: output values. |
| 89 |
70 Raises: | 90 Raises: |
71 NoFormatterFound: If no event formatter can be found to match the data | 91 NoFormatterFound: If no event formatter can be found to match the data |
72 type in the event object. | 92 type in the event. |
73 """ | 93 """ |
74 if not hasattr(event, u'timestamp'): | 94 if not hasattr(event, u'timestamp'): |
| 95 logging.error(u'Unable to output event without timestamp.') |
75 return | 96 return |
76 | 97 |
| 98 # TODO: add function to pass event_values to GetFormattedMessages. |
77 message, message_short = self._output_mediator.GetFormattedMessages(event) | 99 message, message_short = self._output_mediator.GetFormattedMessages(event) |
78 if message is None or message_short is None: | 100 if message is None or message_short is None: |
| 101 data_type = getattr(event, u'data_type', u'UNKNOWN') |
79 raise errors.NoFormatterFound( | 102 raise errors.NoFormatterFound( |
80 u'Unable to find event formatter for: {0:s}.'.format( | 103 u'Unable to find event formatter for: {0:s}.'.format(data_type)) |
81 getattr(event, u'data_type', u'UNKNOWN'))) | |
82 | 104 |
| 105 # TODO: add function to pass event_values to GetFormattedSources. |
83 source_short, source = self._output_mediator.GetFormattedSources(event) | 106 source_short, source = self._output_mediator.GetFormattedSources(event) |
84 if source is None or source_short is None: | 107 if source is None or source_short is None: |
| 108 data_type = getattr(event, u'data_type', u'UNKNOWN') |
85 raise errors.NoFormatterFound( | 109 raise errors.NoFormatterFound( |
86 u'Unable to find event formatter for: {0:s}.'.format( | 110 u'Unable to find event formatter for: {0:s}.'.format(data_type)) |
87 getattr(event, u'data_type', u'UNKNOWN'))) | |
88 | 111 |
89 date_use = timelib.Timestamp.CopyToDatetime( | 112 date_use = timelib.Timestamp.CopyToDatetime( |
90 event.timestamp, self._output_mediator.timezone) | 113 event.timestamp, self._output_mediator.timezone) |
91 | 114 |
92 format_variables = self._output_mediator.GetFormatStringAttributeNames( | 115 format_variables = self._output_mediator.GetFormatStringAttributeNames( |
93 event) | 116 event) |
94 if format_variables is None: | 117 if format_variables is None: |
95 data_type = getattr(event, u'data_type', u'UNKNOWN') | 118 data_type = getattr(event, u'data_type', u'UNKNOWN') |
96 raise errors.NoFormatterFound( | 119 raise errors.NoFormatterFound( |
97 u'Unable to find event formatter for: {0:s}.'.format(data_type)) | 120 u'Unable to find event formatter for: {0:s}.'.format(data_type)) |
98 | 121 |
99 extra_attributes = [] | 122 extra_attributes = [] |
100 for attribute_name, attribute_value in sorted(event.GetAttributes()): | 123 for attribute_name, attribute_value in sorted(event.GetAttributes()): |
101 if (attribute_name in definitions.RESERVED_VARIABLE_NAMES or | 124 if (attribute_name in definitions.RESERVED_VARIABLE_NAMES or |
102 attribute_name in format_variables): | 125 attribute_name in format_variables): |
103 continue | 126 continue |
104 | 127 |
105 # With ! in {1!s} we force a string conversion since some of | 128 # With ! in {1!s} we force a string conversion since some of |
106 # the extra attributes values can be integer, float point or | 129 # the extra attributes values can be integer, float point or |
107 # boolean values. | 130 # boolean values. |
108 extra_attributes.append( | 131 extra_attributes.append( |
109 u'{0:s}: {1!s} '.format(attribute_name, attribute_value)) | 132 u'{0:s}: {1!s}'.format(attribute_name, attribute_value)) |
110 | 133 |
111 extra_attributes = u' '.join(extra_attributes) | 134 extra_attributes = u'; '.join(extra_attributes) |
112 extra_attributes = extra_attributes.replace(u'\n', u'-').replace(u'\r', u'') | 135 extra_attributes = extra_attributes.replace(u'\n', u'-').replace(u'\r', u'') |
113 | 136 |
114 inode = getattr(event, u'inode', None) | 137 inode = getattr(event, u'inode', None) |
115 if inode is None: | 138 if inode is None: |
116 if hasattr(event, u'pathspec') and hasattr( | 139 if hasattr(event, u'pathspec') and hasattr( |
117 event.pathspec, u'image_inode'): | 140 event.pathspec, u'image_inode'): |
118 inode = event.pathspec.image_inode | 141 inode = event.pathspec.image_inode |
119 if inode is None: | 142 if inode is None: |
120 inode = u'-' | 143 inode = u'-' |
121 | 144 |
(...skipping 14 matching lines...) Expand all Loading... |
136 | 159 |
137 date_string = u'{0:02d}/{1:02d}/{2:04d}'.format( | 160 date_string = u'{0:02d}/{1:02d}/{2:04d}'.format( |
138 date_use.month, date_use.day, date_use.year) | 161 date_use.month, date_use.day, date_use.year) |
139 time_string = u'{0:02d}:{1:02d}:{2:02d}'.format( | 162 time_string = u'{0:02d}:{1:02d}:{2:02d}'.format( |
140 date_use.hour, date_use.minute, date_use.second) | 163 date_use.hour, date_use.minute, date_use.second) |
141 | 164 |
142 output_values = [ | 165 output_values = [ |
143 date_string, | 166 date_string, |
144 time_string, | 167 time_string, |
145 u'{0!s}'.format(self._output_mediator.timezone), | 168 u'{0!s}'.format(self._output_mediator.timezone), |
146 self._output_mediator.GetMACBRepresentation(event), | 169 u'....', |
147 source_short, | 170 source_short, |
148 source, | 171 source, |
149 getattr(event, u'timestamp_desc', u'-'), | 172 u'-', |
150 username, | 173 username, |
151 hostname, | 174 hostname, |
152 message_short, | 175 message_short, |
153 message, | 176 message, |
154 u'2', | 177 u'2', |
155 getattr(event, u'display_name', u'-'), | 178 getattr(event, u'display_name', u'-'), |
156 u'{0!s}'.format(inode), | 179 u'{0!s}'.format(inode), |
157 u' '.join(notes), | 180 u' '.join(notes), |
158 getattr(event, u'parser', u'-'), | 181 getattr(event, u'parser', u'-'), |
159 extra_attributes] | 182 extra_attributes] |
160 | 183 |
161 for index, value in enumerate(output_values): | 184 return output_values |
162 if not isinstance(value, py2to3.STRING_TYPES): | |
163 value = u'' | |
164 output_values[index] = value.replace(u',', u' ') | |
165 | 185 |
166 output_line = u','.join(output_values) | 186 def WriteEventBody(self, event): |
167 output_line = u'{0:s}\n'.format(output_line) | 187 """Writes the body of an event object to the output. |
168 self._WriteLine(output_line) | 188 |
| 189 Args: |
| 190 event (EventObject): event. |
| 191 |
| 192 Raises: |
| 193 NoFormatterFound: If no event formatter can be found to match the data |
| 194 type in the event object. |
| 195 """ |
| 196 output_values = self._GetOutputValues(event) |
| 197 |
| 198 output_values[3] = self._output_mediator.GetMACBRepresentation(event) |
| 199 output_values[6] = getattr(event, u'timestamp_desc', u'-') |
| 200 |
| 201 self._WriteOutputValues(output_values) |
| 202 |
| 203 def WriteEventMACBGroup(self, event_macb_group): |
| 204 """Writes an event MACB group to the output. |
| 205 |
| 206 Args: |
| 207 event_macb_group (list[EventObject]): event MACB group. |
| 208 """ |
| 209 output_values = self._GetOutputValues(event_macb_group[0]) |
| 210 |
| 211 timestamp_descriptions = [ |
| 212 event.timestamp_desc for event in event_macb_group] |
| 213 output_values[3] = ( |
| 214 self._output_mediator.GetMACBRepresentationFromDescriptions( |
| 215 timestamp_descriptions)) |
| 216 # TODO: fix timestamp description in source. |
| 217 output_values[6] = u'; '.join(timestamp_descriptions) |
| 218 |
| 219 self._WriteOutputValues(output_values) |
169 | 220 |
170 def WriteHeader(self): | 221 def WriteHeader(self): |
171 """Writes the header to the output.""" | 222 """Writes the header to the output.""" |
172 self._WriteLine(self._HEADER) | 223 self._WriteLine(self._HEADER) |
173 | 224 |
174 | 225 |
175 manager.OutputManager.RegisterOutput(L2TCSVOutputModule) | 226 manager.OutputManager.RegisterOutput(L2TCSVOutputModule) |
OLD | NEW |