Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(234)

Unified Diff: plaso/formatters/fseventsd.py

Issue 340110043: [plaso] Added fseventd parser #1467 (Closed)
Patch Set: Changes after review Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: plaso/formatters/fseventsd.py
diff --git a/plaso/formatters/fseventsd.py b/plaso/formatters/fseventsd.py
new file mode 100644
index 0000000000000000000000000000000000000000..93e948cb21f5ae42197122025604b8e6c53a52e6
--- /dev/null
+++ b/plaso/formatters/fseventsd.py
@@ -0,0 +1,108 @@
+# -*- coding: utf-8 -*-
+"""The fseventsd event formatter."""
+
+from __future__ import unicode_literals
+
+from plaso.formatters import interface
+from plaso.formatters import manager
+from plaso.lib import errors
+
+
+class FSEventsdEventFormatter(interface.ConditionalEventFormatter):
+ """The fseventsd event formatter."""
+
+ DATA_TYPE = 'macos:fseventsd:record'
+
+ FORMAT_STRING_PIECES = [
+ '{object_type}', ':', '{path}', 'Changes:', '{event_types}', 'Event ID:',
+ '{event_identifier}'
+ ]
+
+ FORMAT_STRING_SHORT_PIECES = ['{path}', '{event_types}']
+
+ SOURCE_SHORT = 'FSEVENT'
+
+ _OBJECT_TYPE_MASKS = {
+ 0x00000001: 'Folder',
+ 0x00001000: 'HardLink',
+ 0x00004000: 'SymbolicLink',
+ 0x00008000: 'File'}
+
+ _EVENT_MASKS = {
+ 0x00000000: 'None',
+ 0x00000002: 'Mount',
+ 0x00000004: 'Unmount',
+ 0x00000020: 'EndOfTransaction',
+ 0x00000800: 'LastHardLinkRemoved',
+ 0x00010000: 'PermissionChanged',
+ 0x00020000: 'ExtendedAttrModified',
+ 0x00040000: 'ExtendedAttrRemoved',
+ 0x00100000: 'DocumentRevision',
+ 0x00400000: 'Item Cloned',
+ 0x01000000: 'Created',
+ 0x02000000: 'Removed',
+ 0x04000000: 'InodeMetaModified',
+ 0x08000000: 'Renamed',
+ 0x10000000: 'Modified',
+ 0x20000000: 'Exchange',
+ 0x40000000: 'FinderInfoModified',
+ 0x80000000: 'FolderCreated'}
+
+ def _GetObjectType(self, flags):
+ """Determines the object type for a given set of FSEvents flags.
+
+ Args:
+ flags (int): fsevents record type flags.
+
+ Returns:
+ str: name of the object type represented by the mask.
+ """
+ for value in self._OBJECT_TYPE_MASKS:
+ if value & flags:
+ return self._OBJECT_TYPE_MASKS[value]
+ return 'UNKNOWN'
+
+ def _GetEventTypes(self, mask):
+ """Determines which events are stored in a set of fsevents flags.
+
+ Args:
+ mask (int): fsevents record type mask.
+
+ Returns:
+ str: a comma separated string containing all the events listed in an
+ fsevents record.
+ """
+ event_types = []
+ for value in self._EVENT_MASKS:
+ if value & mask:
+ event_types.append(self._EVENT_MASKS[value])
+ return ','.join(event_types)
+
+ def GetMessages(self, unused_formatter_mediator, event):
+ """Determines the formatted message strings for an event object.
+
+ Args:
+ formatter_mediator (FormatterMediator): mediates the interactions between
+ formatters and other components, such as storage and Windows EventLog
+ resources.
+ event (EventObject): event.
+
+ Returns:
+ tuple(str, str): formatted message string and short message string.
+
+ Raises:
+ WrongFormatter: if the event object cannot be formatted by the formatter.
+ """
+ if self.DATA_TYPE != event.data_type:
+ raise errors.WrongFormatter(
+ 'Unsupported data type: {0:s}.'.format(event.data_type))
+
+ event_values = event.CopyToDict()
+ flags = event_values['flags']
+ event_values['object_type'] = self._GetObjectType(flags)
+ event_values['event_types'] = self._GetEventTypes(flags)
+
+ return self._ConditionalFormatMessages(event_values)
+
+
+manager.FormattersManager.RegisterFormatter(FSEventsdEventFormatter)

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b