Added extract Windows EventLog resources option log2timeline#636

joachimmetz · Oct 16, 2021 · b61feec · b61feec
1 parent c1998df
commit b61feec
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 5 deletions.
diff --git a/plaso/cli/extraction_tool.py b/plaso/cli/extraction_tool.py
@@ -78,6 +78,7 @@ def __init__(self, input_reader=None, output_writer=None):
     self._command_line_arguments = None
     self._enable_sigsegv_handler = False
     self._expanded_parser_filter_expression = None
+    self._extract_winevt_resources = True
     self._number_of_extraction_workers = 0
     self._parser_filter_expression = None
     self._preferred_codepage = None
@@ -287,6 +288,9 @@ def _ParseExtractionOptions(self, options):
 
     self.list_language_identifiers = self._preferred_language == 'list'
 
+    self._extract_winevt_resources = getattr(
+        options, 'extract_winevt_resources', True)
+
     time_zone_string = self.ParseStringOption(options, 'timezone')
     if isinstance(time_zone_string, str):
       if time_zone_string.lower() == 'list':
@@ -556,6 +560,12 @@ def AddExtractionOptions(self, argument_group):
 
     # Note defaults here are None so we can determine if an option was set.
 
+    argument_group.add_argument(
+        '--extract_winevt_resources', '--extract-winevt-resources',
+        dest='extract_winevt_resources', action='store_false', default=True,
+        help=('Extract Windows EventLog resources such as event message '
+              'template strings.'))
+
     # TODO: add preferred encoding
 
     argument_group.add_argument(
@@ -635,6 +645,7 @@ def ExtractEventsFromSources(self):
         artifact_filter_names=self._artifact_filters,
         command_line_arguments=self._command_line_arguments,
         debug_mode=self._debug_mode,
+        extract_winevt_resources=self._extract_winevt_resources,
         filter_file_path=self._filter_file,
         preferred_encoding=self.preferred_encoding,
         preferred_language=self._preferred_language,

diff --git a/plaso/containers/sessions.py b/plaso/containers/sessions.py
@@ -26,6 +26,8 @@ class Session(interface.AttributeContainer):
     enabled_parser_names (list[str]): parser and parser plugin names that
          were enabled.
     event_labels_counter (collections.Counter): number of event tags per label.
+    extract_winevt_resources (bool): True if Windows EventLog resources should
+        be extracted.
     filter_file (str): path to a file with find specifications.
     identifier (str): unique identifier of the session.
     parser_filter_expression (str): parser filter expression.
@@ -56,6 +58,7 @@ def __init__(self):
     self.completion_time = None
     self.debug_mode = False
     self.enabled_parser_names = None
+    self.extract_winevt_resources = True
     self.event_labels_counter = collections.Counter()
     self.filter_file = None
     self.identifier = '{0:s}'.format(uuid.uuid4().hex)
@@ -117,6 +120,8 @@ def CopyAttributesFromSessionConfiguration(self, session_configuration):
     self.command_line_arguments = session_configuration.command_line_arguments
     self.debug_mode = session_configuration.debug_mode
     self.enabled_parser_names = session_configuration.enabled_parser_names
+    self.extract_winevt_resources = (
+        session_configuration.extract_winevt_resources)
     self.filter_file = session_configuration.filter_file
     self.parser_filter_expression = (
         session_configuration.parser_filter_expression)
@@ -147,6 +152,9 @@ def CopyAttributesFromSessionStart(self, session_start):
         session_start, 'debug_mode', self.debug_mode)
     self.enabled_parser_names = getattr(
         session_start, 'enabled_parser_names', self.enabled_parser_names)
+    self.extract_winevt_resources = getattr(
+        session_start, 'extract_winevt_resources',
+        self.extract_winevt_resources)
     self.filter_file = getattr(
         session_start, 'filter_file', self.filter_file)
     self.parser_filter_expression = getattr(
@@ -187,6 +195,8 @@ def CreateSessionConfiguration(self):
     session_configuration.command_line_arguments = self.command_line_arguments
     session_configuration.debug_mode = self.debug_mode
     session_configuration.enabled_parser_names = self.enabled_parser_names
+    session_configuration.extract_winevt_resources = (
+        self.extract_winevt_resources)
     session_configuration.filter_file = self.filter_file
     session_configuration.identifier = self.identifier
     session_configuration.parser_filter_expression = (
@@ -280,6 +290,8 @@ class SessionConfiguration(interface.AttributeContainer):
     debug_mode (bool): True if debug mode was enabled.
     enabled_parser_names (list[str]): parser and parser plugin names that
          were enabled.
+    extract_winevt_resources (bool): True if Windows EventLog resources should
+        be extracted.
     filter_file (str): path to a file with find specifications.
     identifier (str): unique identifier of the session.
     parser_filter_expression (str): parser filter expression.
@@ -306,6 +318,7 @@ def __init__(self, identifier=None):
     self.command_line_arguments = None
     self.debug_mode = False
     self.enabled_parser_names = None
+    self.extract_winevt_resources = True
     self.filter_file = None
     self.identifier = identifier
     self.parser_filter_expression = None

diff --git a/plaso/engine/engine.py b/plaso/engine/engine.py
@@ -182,20 +182,23 @@ def _StopProfiling(self):
       self._task_queue_profiler.Stop()
       self._task_queue_profiler = None
 
+  # pylint: disable=too-many-arguments
   @classmethod
   def CreateSession(
       cls, artifact_filter_names=None, command_line_arguments=None,
-      debug_mode=False, filter_file_path=None, preferred_encoding='utf-8',
-      preferred_language='en-US', preferred_time_zone=None,
-      preferred_year=None, text_prepend=None):
+      debug_mode=False, extract_winevt_resources=True, filter_file_path=None,
+      preferred_encoding='utf-8', preferred_language='en-US',
+      preferred_time_zone=None, preferred_year=None, text_prepend=None):
     """Creates a session attribute container.
 
     Args:
       artifact_filter_names (Optional[list[str]]): names of artifact definitions
           that are used for filtering file system and Windows Registry
           key paths.
       command_line_arguments (Optional[str]): the command line arguments.
-      debug_mode (bool): True if debug mode was enabled.
+      debug_mode (Option[bool]): True if debug mode was enabled.
+      extract_winevt_resources (Optional[bool]): True if Windows EventLog
+          resources should be extracted.
       filter_file_path (Optional[str]): path to a file with find specifications.
       preferred_encoding (Optional[str]): preferred encoding.
       preferred_language (Optional[str]): preferred language.
@@ -211,6 +214,7 @@ def CreateSession(
     session.artifact_filters = artifact_filter_names
     session.command_line_arguments = command_line_arguments
     session.debug_mode = debug_mode
+    session.extract_winevt_resources = extract_winevt_resources
     session.filter_file = filter_file_path
     session.preferred_encoding = preferred_encoding
     session.preferred_language = preferred_language

diff --git a/tests/cli/extraction_tool.py b/tests/cli/extraction_tool.py
@@ -116,11 +116,15 @@ class ExtractionToolTest(test_lib.CLIToolTestCase):
 """.format(test_lib.ARGPARSE_OPTIONS)
 
   _EXPECTED_TIME_ZONE_OPTION = """\
-usage: extraction_tool_test.py [--language LANGUAGE] [-z TIME_ZONE]
+usage: extraction_tool_test.py [--language LANGUAGE]
+                               [--extract_winevt_resources] [-z TIME_ZONE]
 
 Test argument parser.
 
 {0:s}:
+  --extract_winevt_resources, --extract-winevt-resources
+                        Extract Windows EventLog resources such as event
+                        message template strings.
   --language LANGUAGE   The preferred language identifier for Windows Event
                         Log message strings. Use "--language list" to see a
                         list of available language identifiers. Note that

diff --git a/tests/containers/sessions.py b/tests/containers/sessions.py
@@ -25,6 +25,7 @@ def testGetAttributeNames(self):
         'debug_mode',
         'enabled_parser_names',
         'event_labels_counter',
+        'extract_winevt_resources',
         'filter_file',
         'identifier',
         'parser_filter_expression',
@@ -137,6 +138,7 @@ def testGetAttributeNames(self):
         'command_line_arguments',
         'debug_mode',
         'enabled_parser_names',
+        'extract_winevt_resources',
         'filter_file',
         'identifier',
         'parser_filter_expression',

diff --git a/tests/serializer/json_serializer.py b/tests/serializer/json_serializer.py
@@ -331,6 +331,7 @@ def testReadAndWriteSerializedSession(self):
         'analysis_reports_counter': session.analysis_reports_counter,
         'debug_mode': False,
         'event_labels_counter': session.event_labels_counter,
+        'extract_winevt_resources': True,
         'identifier': session.identifier,
         'parsers_counter': parsers_counter,
         'preferred_encoding': 'utf-8',