Changes to normalize EventLog message file paths #4169 (#4198)

log2timeline · Aug 18, 2022 · 134e4ee · 134e4ee
1 parent 418b19b
commit 134e4ee
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 33 deletions.
diff --git a/plaso/output/formatting_helper.py b/plaso/output/formatting_helper.py
@@ -567,8 +567,10 @@ def _FormatWindowsEventLogMessage(
           message_string = message_string_template.format(*string_values)
         except (IndexError, TypeError) as exception:
           logger.error((
-              'Unable to format message string: "{0:s}" and strings: "{1:s}" '
-              'with error: {2!s}').format(
+              'Unable to format message: 0x{0:08x} of provider: {1:s} '
+              'template: "{2:s}" and strings: "{3:s}" with error: '
+              '{4!s}').format(
+                  message_identifier, provider_identifier or '',
                   message_string_template, ', '.join(string_values), exception))
           # Unable to create the message string.
           # TODO: consider returning the unformatted message string.

diff --git a/plaso/output/mediator.py b/plaso/output/mediator.py
@@ -302,7 +302,13 @@ def GetWinevtResourcesHelper(self):
       WinevtResourcesHelper: Windows EventLog resources helper.
     """
     lcid = self._lcid or self._DEFAULT_LCID
-    environment_variables = self._knowledge_base.GetEnvironmentVariables()
+
+    if not self._storage_reader.HasAttributeContainers('environment_variable'):
+      environment_variables = []
+    else:
+      environment_variables = list(
+          self._storage_reader.GetAttributeContainers('environment_variable'))
+
     return winevt_rc.WinevtResourcesHelper(
         self._storage_reader, self.data_location, lcid, environment_variables)
 

diff --git a/plaso/output/winevt_rc.py b/plaso/output/winevt_rc.py
@@ -500,9 +500,13 @@ def _ReadWindowsEventLogMessageFiles(self, storage_reader):
     if storage_reader.HasAttributeContainers('windows_eventlog_message_file'):
       for message_file in storage_reader.GetAttributeContainers(
           'windows_eventlog_message_file'):
-        path = message_file.path.lower()
-        self._windows_eventlog_message_files[path] = (
-            message_file.GetIdentifier())
+        path, filename = path_helper.PathHelper.GetWindowsSystemPath(
+            message_file.path, self._environment_variables)
+
+        lookup_path = '\\'.join([path, filename]).lower()
+        message_file_identifier = message_file.GetIdentifier()
+        self._windows_eventlog_message_files[lookup_path] = (
+            message_file_identifier)
 
   def _ReadWindowsEventLogMessageString(
       self, storage_reader, provider_identifier, log_source,
@@ -571,49 +575,50 @@ def _ReadWindowsEventLogMessageString(
     for windows_path in provider.event_message_files or []:
       path, filename = path_helper.PathHelper.GetWindowsSystemPath(
           windows_path, self._environment_variables)
-      path = path.lower()
-      filename = filename.lower()
 
-      lookup_path = '\\'.join([path, filename])
+      lookup_path = '\\'.join([path, filename]).lower()
       message_file_identifier = self._windows_eventlog_message_files.get(
           lookup_path, None)
       if message_file_identifier:
         message_file_identifier = message_file_identifier.CopyToString()
         message_file_identifiers.append(message_file_identifier)
 
       mui_filename = '{0:s}.mui'.format(filename)
-      lookup_path = '\\'.join([path, self._language_tag, mui_filename])
+      lookup_path = '\\'.join([path, self._language_tag, mui_filename]).lower()
       message_file_identifier = self._windows_eventlog_message_files.get(
           lookup_path, None)
       if message_file_identifier:
         message_file_identifier = message_file_identifier.CopyToString()
         message_file_identifiers.append(message_file_identifier)
 
-    message_strings = []
-    if message_file_identifiers:
-      # TODO: add message_file_identifiers to filter_expression
-      filter_expression = (
-          'language_identifier == {0:d} and '
-          'message_identifier == {1:d}').format(
-              self._lcid, message_identifier)
-
-      for message_string in storage_reader.GetAttributeContainers(
-          'windows_eventlog_message_string',
-          filter_expression=filter_expression):
-        identifier = message_string.GetMessageFileIdentifier()
-        identifier = identifier.CopyToString()
-        if identifier in message_file_identifiers:
-          message_strings.append(message_string)
-
-      if not message_strings:
-        logger.debug(
-            'No match for message: 0x{0:08x} of provider: {1:s}'.format(
-                message_identifier, lookup_key))
+    if not message_file_identifiers:
+      logger.warning(
+          'No message file for message: 0x{0:08x} of provider: {1:s}'.format(
+              message_identifier, lookup_key))
+      return None
 
-    if message_strings:
-      return message_strings[0].string
+    message_strings = []
+    # TODO: add message_file_identifiers to filter_expression
+    filter_expression = (
+        'language_identifier == {0:d} and '
+        'message_identifier == {1:d}').format(
+            self._lcid, message_identifier)
+
+    for message_string in storage_reader.GetAttributeContainers(
+        'windows_eventlog_message_string',
+        filter_expression=filter_expression):
+      identifier = message_string.GetMessageFileIdentifier()
+      identifier = identifier.CopyToString()
+      if identifier in message_file_identifiers:
+        message_strings.append(message_string)
+
+    if not message_strings:
+      logger.warning((
+          'No message string for message: 0x{0:08x} of provider: '
+          '{1:s}').format(message_identifier, lookup_key))
+      return None
 
-    return None
+    return message_strings[0].string
 
   def _ReadWindowsEventLogProviders(self, storage_reader):
     """Reads the Windows EventLog providers.