Moved EventLog message string formatting to helper log2timeline#4169

data/formatters/windows.yaml

@@ -110,6 +110,9 @@ short_message:
 ---
 type: 'conditional'
 data_type: 'windows:evt:record'
+custom_helpers:
+- identifier: 'windows_eventlog_message'
+  output_attribute: 'message_string'
 enumeration_helpers:
 - input_attribute: 'event_type'
   output_attribute: 'event_type'
@@ -145,6 +148,9 @@ short_message:
 ---
 type: 'conditional'
 data_type: 'windows:evtx:record'
+custom_helpers:
+- identifier: 'windows_eventlog_message'
+  output_attribute: 'message_string'
 message:
 - '[{event_identifier} / 0x{event_identifier:04x}]'
 - 'Provider identifier: {provider_identifier}'

plaso/formatters/__init__.py

@@ -7,6 +7,7 @@
 from plaso.formatters import firefox
 from plaso.formatters import msiecf
 from plaso.formatters import shell_items
+from plaso.formatters import winevt
 from plaso.formatters import winlnk
 from plaso.formatters import winprefetch
 from plaso.formatters import winreg

plaso/formatters/chrome.py

@@ -11,10 +11,11 @@ class ChromeHistoryTypedCountFormatterHelper(
 
   IDENTIFIER = 'chrome_history_typed_count'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     typed_count = event_values.get('typed_count', None)

plaso/formatters/chrome_preferences.py

@@ -11,10 +11,11 @@ class ChromePreferencesPrimaryURLFormatterHelper(
 
   IDENTIFIER = 'chrome_preferences_primary_url'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     primary_url = event_values.get('primary_url', None)
@@ -28,10 +29,11 @@ class ChromePreferencesSecondaryURLFormatterHelper(
 
   IDENTIFIER = 'chrome_preferences_secondary_url'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     # There appears to be an issue in either GURL.cc or

plaso/formatters/default.py

@@ -18,10 +18,11 @@ def __init__(self):
         data_type=self.DATA_TYPE, format_string=self.FORMAT_STRING,
         format_string_short=self.FORMAT_STRING_SHORT)
 
-  def FormatEventValues(self, event_values):
-    """Formats event values using the helpers.
+  def FormatEventValues(self, output_mediator, event_values):
+    """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     # TODO: clean up the default formatter and add a test to make sure

plaso/formatters/file_system.py

@@ -10,10 +10,11 @@ class NTFSFileReferenceFormatterHelper(interface.CustomEventFormatterHelper):
 
   IDENTIFIER = 'ntfs_file_reference'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     file_reference = event_values.get('file_reference', None)
@@ -28,10 +29,11 @@ class NTFSParentFileReferenceFormatterHelper(
 
   IDENTIFIER = 'ntfs_parent_file_reference'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     parent_file_reference = event_values.get('parent_file_reference', None)
@@ -45,10 +47,11 @@ class NTFSPathHintsFormatterHelper(interface.CustomEventFormatterHelper):
 
   IDENTIFIER = 'ntfs_path_hints'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     path_hints = event_values.get('path_hints', None)

plaso/formatters/firefox.py

@@ -11,10 +11,11 @@ class FirefoxHistoryTypedCountFormatterHelper(
 
   IDENTIFIER = 'firefox_history_typed_count'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     typed = event_values.get('typed', None)
@@ -32,10 +33,11 @@ class FirefoxHistoryURLHiddenFormatterHelper(
 
   IDENTIFIER = 'firefox_history_url_hidden'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     hidden = event_values.get('hidden', None)

plaso/formatters/interface.py

@@ -21,10 +21,11 @@ class EventFormatterHelper(object):
   """Base class of helper for formatting event data."""
 
   @abc.abstractmethod
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
 
@@ -60,10 +61,11 @@ def __init__(
     self.value_if_false = value_if_false
     self.value_if_true = value_if_true
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     input_value = event_values.get(self.input_attribute, None)
@@ -82,10 +84,11 @@ class CustomEventFormatterHelper(EventFormatterHelper):
   IDENTIFIER = ''
 
   @abc.abstractmethod
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
 
@@ -122,13 +125,14 @@ def __init__(
     self.output_attribute = output_attribute
     self.values = values or {}
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     If default value is None and there is no corresponding enumeration value
     then the original value is used.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     input_value = event_values.get(self.input_attribute, None)
@@ -169,10 +173,11 @@ def __init__(
     self.output_attribute = output_attribute
     self.values = values or {}
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     input_value = event_values.get(self.input_attribute, None)
@@ -275,14 +280,15 @@ def _FormatMessage(self, format_string, event_values):
     # string.strip().
     return message_string.replace('\r', '').replace('\n', '')
 
-  def FormatEventValues(self, event_values):
-    """Formats event values using the helpers.
+  def FormatEventValues(self, output_mediator, event_values):
+    """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     for helper in self.helpers:
-      helper.FormatEventValues(event_values)
+      helper.FormatEventValues(output_mediator, event_values)
 
   @abc.abstractmethod
   def GetFormatStringAttributeNames(self):

plaso/formatters/msiecf.py

@@ -10,10 +10,11 @@ class MSIECFCachedPathFormatterHelper(interface.CustomEventFormatterHelper):
 
   IDENTIFIER = 'msiecf_cached_path'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     cached_file_path = event_values.get('cached_filename', None)
@@ -30,10 +31,11 @@ class MSIECFHTTPHeadersventFormatterHelper(
 
   IDENTIFIER = 'msiecf_http_headers'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     http_headers = event_values.get('http_headers', None)

plaso/formatters/shell_items.py

@@ -11,10 +11,11 @@ class ShellItemFileEntryNameFormatterHelper(
 
   IDENTIFIER = 'shell_item_file_entry_name'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     event_values['file_entry_name'] = event_values.get('long_name', None)

plaso/formatters/winevt.py

@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+"""Windows EventLog custom event formatter helpers."""
+
+from plaso.formatters import interface
+from plaso.formatters import logger
+from plaso.formatters import manager
+
+
+class WindowsEventLogMessageFormatterHelper(
+    interface.CustomEventFormatterHelper):
+  """Windows EventLog message formatter helper."""
+
+  IDENTIFIER = 'windows_eventlog_message'
+
+  def __init__(self):
+    """Initialized a indows EventLog message formatter helper."""
+    super(WindowsEventLogMessageFormatterHelper, self).__init__()
+    self._winevt_resources_helper = None
+
+  def FormatEventValues(self, output_mediator, event_values):
+    """Formats event values using the helper.
+
+    Args:
+      output_mediator (OutputMediator): output mediator.
+      event_values (dict[str, object]): event values.
+    """
+    if not self._winevt_resources_helper:
+      self._winevt_resources_helper = output_mediator.GetWinevtResourcesHelper()
+
+    message_string = None
+    provider_identifier = event_values.get('provider_identifier', None)
+    source_name = event_values.get('source_name', None)
+    message_identifier = event_values.get('message_identifier', None)
+    event_version = event_values.get('event_version', None)
+    if (provider_identifier or source_name) and message_identifier:
+      message_string_template = self._winevt_resources_helper.GetMessageString(
+          provider_identifier, source_name, message_identifier, event_version)
+      if message_string_template:
+        string_values = [
+            string or '' for string in event_values.get('strings', [])]
+
+        try:
+          message_string = message_string_template.format(*string_values)
+        except (IndexError, TypeError) as exception:
+          logger.error((
+              'Unable to format message: 0x{0:08x} of provider: {1:s} '
+              'template: "{2:s}" and strings: "{3:s}" with error: '
+              '{4!s}').format(
+                  message_identifier, provider_identifier or '',
+                  message_string_template, ', '.join(string_values), exception))
+          # Unable to create the message string.
+          # TODO: consider returning the unformatted message string.
+
+    event_values['message_string'] = message_string
+
+
+manager.FormattersManager.RegisterEventFormatterHelper(
+    WindowsEventLogMessageFormatterHelper)

plaso/formatters/winlnk.py

@@ -11,10 +11,11 @@ class WindowsShortcutLinkedPathFormatterHelper(
 
   IDENTIFIER = 'windows_shortcut_linked_path'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     linked_path = event_values.get('local_path', None)

plaso/formatters/winprefetch.py

@@ -11,10 +11,11 @@ class WindowsPrefetchPathHintsFormatterHelper(
 
   IDENTIFIER = 'windows_prefetch_path_hints'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     path_hints = event_values.get('path_hints', None)
@@ -28,10 +29,11 @@ class WindowsPrefetchVolumesStringFormatterHelper(
 
   IDENTIFIER = 'windows_prefetch_volumes_string'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     number_of_volumes = event_values.get('number_of_volumes', 0)

plaso/formatters/winreg.py

@@ -11,10 +11,11 @@ class WindowsRegistryValuesFormatterHelper(
 
   IDENTIFIER = 'windows_registry_values'
 
-  def FormatEventValues(self, event_values):
+  def FormatEventValues(self, output_mediator, event_values):
     """Formats event values using the helper.
 
     Args:
+      output_mediator (OutputMediator): output mediator.
       event_values (dict[str, object]): event values.
     """
     values = event_values.get('values', None)