forked from Velocidex/evtx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
lookup.go
64 lines (51 loc) · 1.45 KB
/
lookup.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
package main
import (
"database/sql"
"fmt"
_ "github.com/mattn/go-sqlite3"
kingpin "gopkg.in/alecthomas/kingpin.v2"
)
var (
lookup = app.Command("lookup", "Lookup log message.")
lookup_file = lookup.Arg("file", "message database").Required().
String()
lookup_provider = lookup.Arg("provider", "Provider name").Required().String()
lookup_eventid = lookup.Arg("event_id", "Event ID").Required().Int64()
)
type Row struct {
Id int
EventId int
Provider string
Message string
}
func doLookup() {
database, err := sql.Open("sqlite3", *lookup_file)
kingpin.FatalIfError(err, " %v", err)
get_events, err := database.Prepare(`
SELECT messages.id, providers.name, event_id, message
FROM messages left join providers ON messages.provider_id = providers.id
WHERE providers.name = ? and messages.event_id = ?
`)
kingpin.FatalIfError(err, " %v", err)
defer get_events.Close()
rows, err := get_events.Query(*lookup_provider, *lookup_eventid)
kingpin.FatalIfError(err, "%v", err)
defer rows.Close()
for rows.Next() {
r := &Row{}
err := rows.Scan(&r.Id, &r.Provider, &r.EventId, &r.Message)
kingpin.FatalIfError(err, "%v", err)
fmt.Printf("%v %v %v %v\n", r.Id, r.EventId, r.Provider, r.Message)
}
}
func init() {
command_handlers = append(command_handlers, func(command string) bool {
switch command {
case lookup.FullCommand():
doLookup()
default:
return false
}
return true
})
}