Improved compatibility of text parsers with Python 3 log2timeline#1952 (

log2timeline#1974)
Onager · Jun 26, 2018 · 09a697b · 09a697b
1 parent 82dacdb
commit 09a697b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 14 deletions.
diff --git a/plaso/parsers/iis.py b/plaso/parsers/iis.py
@@ -2,8 +2,7 @@
 """Parser for Windows IIS Log file.
 
 More documentation on fields can be found here:
-http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/
-IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true
+https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx
 """
 
 from __future__ import unicode_literals
@@ -135,7 +134,12 @@ class WinIISParser(text_parser.PyparsingSingleLineTextParser):
       ('logline', LOG_LINE_6_0)]
 
   # Define a signature value for the log file.
-  _SIGNATURE = b'#Software: Microsoft Internet Information Services'
+  _SIGNATURE = '#Software: Microsoft Internet Information Services'
+
+  # Per https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx:
+  # "log file format(s) are all ASCII text formats (unless UTF-8 is enabled for
+  #  your Web sites)
+  _ENCODING = 'utf-8'
 
   def __init__(self):
     """Initializes a parser object."""

diff --git a/plaso/parsers/mac_appfirewall.py b/plaso/parsers/mac_appfirewall.py
@@ -140,22 +140,14 @@ def _ParseLogLine(self, parser_mediator, structure, key):
     self._last_month = time_elements_tuple[1]
 
     # If the actual entry is a repeated entry, we take the basic information
-    # from the previous entry, but using the timestmap from the actual entry.
+    # from the previous entry, but use the timestamp from the actual entry.
     if key == 'logline':
       self._previous_structure = structure
     else:
       structure = self._previous_structure
 
-    # Pyparsing reads in RAW, but the text is in UTF8.
-    try:
-      action = structure.action.decode('utf-8')
-    except UnicodeDecodeError:
-      logger.warning(
-          'Decode UTF8 failed, the message string may be cut short.')
-      action = structure.action.decode('utf-8', 'ignore')
-
     event_data = MacAppFirewallLogEventData()
-    event_data.action = action
+    event_data.action = structure.action
     event_data.agent = structure.agent
     event_data.computer_name = structure.computer_name
     # Due to the use of CharsNotIn pyparsing structure contains whitespaces

diff --git a/plaso/parsers/text_parser.py b/plaso/parsers/text_parser.py
@@ -237,7 +237,7 @@ class PyparsingSingleLineTextParser(interface.FileObjectParser):
 
   _ENCODING = None
 
-  _EMPTY_LINES = frozenset([b'\n', b'\r', b'\r\n'])
+  _EMPTY_LINES = frozenset(['\n', '\r', '\r\n'])
 
   # Allow for a maximum of 40 empty lines before we bail out.
   _MAXIMUM_DEPTH = 40