Skip to content

Commit

Permalink
Changes to lookup event definition version log2timeline#4169
Browse files Browse the repository at this point in the history
  • Loading branch information
joachimmetz committed Jul 24, 2022
1 parent 074c0aa commit 266d76b
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 9 deletions.
3 changes: 2 additions & 1 deletion plaso/output/formatting_helper.py
Original file line number Diff line number Diff line change
Expand Up @@ -557,9 +557,10 @@ def _FormatWindowsEventLogMessage(
provider_identifier = getattr(event_data, 'provider_identifier', None)
source_name = getattr(event_data, 'source_name', None)
message_identifier = getattr(event_data, 'message_identifier', None)
event_version = getattr(event_data, 'event_version', None)
if (provider_identifier or source_name) and message_identifier:
message_string_template = self._winevt_resources_helper.GetMessageString(
provider_identifier, source_name, message_identifier)
provider_identifier, source_name, message_identifier, event_version)
if message_string_template:
string_values = [string or '' for string in event_data.strings]
try:
Expand Down
26 changes: 19 additions & 7 deletions plaso/output/winevt_rc.py
Original file line number Diff line number Diff line change
Expand Up @@ -366,13 +366,14 @@ def __init__(

def _CacheMessageString(
self, provider_identifier, log_source, message_identifier,
message_string):
event_version, message_string):
"""Caches a specific message string.
Args:
provider_identifier (str): EventLog provider identifier.
log_source (str): EventLog source, such as "Application Error".
message_identifier (int): message identifier.
event_version (int): event version or None if not set.
message_string (str): message string.
"""
if len(self._message_string_cache) >= self._MAXIMUM_CACHED_MESSAGE_STRINGS:
Expand All @@ -381,6 +382,8 @@ def _CacheMessageString(
if provider_identifier:
lookup_key = '{0:s}:0x{1:08x}'.format(
provider_identifier, message_identifier)
if event_version is not None:
lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
self._message_string_cache[lookup_key] = message_string
self._message_string_cache.move_to_end(lookup_key, last=False)

Expand All @@ -390,20 +393,23 @@ def _CacheMessageString(
self._message_string_cache.move_to_end(lookup_key, last=False)

def _GetCachedMessageString(
self, provider_identifier, log_source, message_identifier):
self, provider_identifier, log_source, message_identifier, event_version):
"""Retrieves a specific cached message string.
Args:
provider_identifier (str): EventLog provider identifier.
log_source (str): EventLog source, such as "Application Error".
message_identifier (int): message identifier.
event_version (int): event version or None if not set.
Returns:
str: message string or None if not available.
"""
message_string = None

if provider_identifier:
if event_version is not None:
lookup_key = '{0:s}:{1:d}'.format(lookup_key, event_version)
lookup_key = '{0:s}:0x{1:08x}'.format(
provider_identifier, message_identifier)
message_string = self._message_string_cache.get(lookup_key, None)
Expand Down Expand Up @@ -490,14 +496,15 @@ def _ReadWindowsEventLogMessageFiles(self, storage_reader):

def _ReadWindowsEventLogMessageString(
self, storage_reader, provider_identifier, log_source,
message_identifier):
message_identifier, event_version):
"""Reads an Windows EventLog message string.
Args:
storage_reader (StorageReader): storage reader.
provider_identifier (str): EventLog provider identifier.
log_source (str): EventLog source, such as "Application Error".
message_identifier (int): message identifier.
event_version (int): event version or None if not set.
Returns:
str: message string or None if not available.
Expand Down Expand Up @@ -537,6 +544,9 @@ def _ReadWindowsEventLogMessageString(
filter_expression = (
'provider_identifier == "{0:s}" and identifier == {1:d}').format(
provider_identifier, message_identifier)
if event_version is not None:
filter_expression = '{0:s} and version == {1:d}'.format(
filter_expression, event_version)
for event_definition in storage_reader.GetAttributeContainers(
'windows_wevt_template_event', filter_expression=filter_expression):
logger.debug(
Expand Down Expand Up @@ -603,31 +613,33 @@ def _ReadWindowsEventLogProviders(self, storage_reader):
self._windows_eventlog_providers[log_source] = provider

def GetMessageString(
self, provider_identifier, log_source, message_identifier):
self, provider_identifier, log_source, message_identifier, event_version):
"""Retrieves a specific Windows EventLog message string.
Args:
provider_identifier (str): EventLog provider identifier.
log_source (str): EventLog source, such as "Application Error".
message_identifier (int): message identifier.
event_version (int): event version or None if not set.
Returns:
str: message string or None if not available.
"""
message_string = self._GetCachedMessageString(
provider_identifier, log_source, message_identifier)
provider_identifier, log_source, message_identifier, event_version)
if not message_string:
if self._storage_reader and self._storage_reader.HasAttributeContainers(
'windows_eventlog_provider'):
message_string = self._ReadWindowsEventLogMessageString(
self._storage_reader, provider_identifier, log_source,
message_identifier)
message_identifier, event_version)
else:
message_string = self._GetWinevtRcDatabaseMessageString(
log_source, message_identifier)

if message_string:
self._CacheMessageString(
provider_identifier, log_source, message_identifier, message_string)
provider_identifier, log_source, message_identifier, event_version,
message_string)

return message_string
2 changes: 1 addition & 1 deletion tests/output/winevt_rc.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ def testGetMessageString(self):

message_string = test_helper.GetMessageString(
'{15a7a4f8-0072-4eab-abad-f98a4d666aed}',
'Microsoft-Windows-Dhcp-Client', 0xb00003ed)
'Microsoft-Windows-Dhcp-Client', 0xb00003ed, None)
self.assertEqual(message_string, expected_message_string)


Expand Down

0 comments on commit 266d76b

Please sign in to comment.