add Windows Event Log message strings support #99

joachimmetz · 2015-01-29T20:25:10Z

use winevt-rc.db to read and format Windows Event Log message strings at the formatting phase

joachimmetz · 2015-02-02T09:15:13Z

~~Preparations:~~

~~Step 1: https://codereview.appspot.com/193700043/~~
~~Step 2: https://codereview.appspot.com/204950043/~~

~~Add formatter mediator:~~

~~Step 3: https://codereview.appspot.com/203920043/~~

~~Add initial winevt-rc support:~~

~~Step 4: https://codereview.appspot.com/200460043/~~

After care:

~~set data location to a sane default~~
~~add support to pre format message string in PEP 3101 format~~
~~add documentation on how to build and use winevt_rc.db~~ (pending review and release)
~~Add means to set the preferred LCID~~
- ~~https://codereview.appspot.com/215550043/~~
Add more formatter tests

Future enhancements are now tracked in: #163

joachimmetz · 2015-03-15T06:54:55Z

Issue with the formatting of some messages due to spurious '{':

Fix "More than one value found in database." issue:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/plaso/formatters/winevtx.py", line 59, in GetMessages
    event_values[u'message_string'] = message_string.format(*strings)
KeyError: u'Reason'

SELECT * FROM event_log_providers WHERE log_source == 'Microsoft-Windows-Eventlog';
154|Microsoft-Windows-Eventlog|System|{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
378|Microsoft-Windows-Eventlog|Security|{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}

So the reason for the duplicate is the log_type. Created: libyal/winevt-kb#7 to track adding support.

joachimmetz · 2015-03-15T11:35:26Z

Pending fixes/changes: http://codereview.appspot.com/216000043

… support #99

#99.

joachimmetz · 2015-04-14T21:19:18Z

Documentation pending review and release. Moved improvement to a separate issues. Hence closing this issue.

… support #99

#99.

… support #99

#99.

joachimmetz added the enhancement New or improved functionality label Jan 29, 2015

joachimmetz self-assigned this Jan 29, 2015

joachimmetz added a commit that referenced this issue Feb 17, 2015

Code review: 204950043: Clean up of formatters code - step 2 #99.

06d8a40

joachimmetz added a commit that referenced this issue Feb 25, 2015

Code review: 203920043: Added format mediator - step 3 #99.

e6ea547

joachimmetz added a commit that referenced this issue Feb 28, 2015

Code review: 200460043: Added initial winevt-rc support - step 4 #99.

2e46db9

joachimmetz mentioned this issue Mar 3, 2015

The Windows Event formatting does not seem to be applied #130

Closed

joachimmetz added a commit that referenced this issue Mar 16, 2015

Code review: 204410043: Added formatter tests #99.

de229af

joachimmetz added a commit that referenced this issue Mar 16, 2015

Code review: 216000043: Changes for Windows Event Log message strings…

1bc799a

… support #99

joachimmetz added a commit that referenced this issue Mar 24, 2015

Code review: 215550043: Added means to set the preferred LCID for issue

abd910e

#99.

joachimmetz added a commit that referenced this issue Mar 24, 2015

Code review: 213650043: Added more formatter tests for issue #99.

2e16eac

joachimmetz added a commit that referenced this issue Mar 27, 2015

Code review: 213680043: Added more formatter tests for issue #99.

7f20a56

joachimmetz added a commit that referenced this issue Mar 27, 2015

Code review: 221880043: Added more formatter tests for issue #99.

07b3284

joachimmetz added a commit that referenced this issue Apr 14, 2015

Code review: 228160043: Added more formatter tests for issue #99.

96a1d6b

joachimmetz closed this as completed Apr 14, 2015

berggren mentioned this issue Apr 28, 2015

Annotation Database google/timesketch#76

Open

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 204950043: Clean up of formatters code - step 2 #99.

32f9575

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 203920043: Added format mediator - step 3 #99.

ef42bd4

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 200460043: Added initial winevt-rc support - step 4 #99.

0b9c2a0

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 204410043: Added formatter tests #99.

070cf76

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 216000043: Changes for Windows Event Log message strings…

bda46af

… support #99

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 215550043: Added means to set the preferred LCID for issue

5ffef2b

#99.

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 213650043: Added more formatter tests for issue #99.

ae33b5e

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 213680043: Added more formatter tests for issue #99.

6b6186d

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 221880043: Added more formatter tests for issue #99.

80acca2

joachimmetz added a commit that referenced this issue Jun 7, 2015

Code review: 228160043: Added more formatter tests for issue #99.

b1fdc29

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 204950043: Clean up of formatters code - step 2 #99.

555f37e

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 203920043: Added format mediator - step 3 #99.

af1d65b

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 200460043: Added initial winevt-rc support - step 4 #99.

a7f6da6

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 204410043: Added formatter tests #99.

f5578c1

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 216000043: Changes for Windows Event Log message strings…

26571a2

… support #99

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 215550043: Added means to set the preferred LCID for issue

c8d0adf

#99.

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 213650043: Added more formatter tests for issue #99.

1071241

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 213680043: Added more formatter tests for issue #99.

45d2664

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 221880043: Added more formatter tests for issue #99.

6f6617f

joachimmetz added a commit that referenced this issue Dec 31, 2015

Code review: 228160043: Added more formatter tests for issue #99.

ad32f96

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add Windows Event Log message strings support #99

add Windows Event Log message strings support #99

joachimmetz commented Jan 29, 2015

joachimmetz commented Feb 2, 2015

joachimmetz commented Mar 15, 2015

joachimmetz commented Mar 15, 2015

joachimmetz commented Apr 14, 2015

add Windows Event Log message strings support #99

add Windows Event Log message strings support #99

Comments

joachimmetz commented Jan 29, 2015

joachimmetz commented Feb 2, 2015

joachimmetz commented Mar 15, 2015

joachimmetz commented Mar 15, 2015

joachimmetz commented Apr 14, 2015