forked from Velocidex/evtx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
watch.go
78 lines (63 loc) · 1.62 KB
/
watch.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package main
import (
"encoding/json"
"fmt"
"os"
"time"
"github.com/davecgh/go-spew/spew"
"github.com/refractionPOINT/evtx"
kingpin "gopkg.in/alecthomas/kingpin.v2"
)
var (
watch = app.Command("watch", "Watch a file for changes")
watch_file = watch.Arg("file", "File to parse").Required().
String()
)
func doWatch() {
fd, err := os.OpenFile(*watch_file, os.O_RDONLY, os.FileMode(0666))
kingpin.FatalIfError(err, "open file")
open_file := func(fd *os.File) []*evtx.Chunk {
chunks, err := evtx.GetChunks(fd)
kingpin.FatalIfError(err, "Getting chunks")
return chunks
}
max_record_id := uint64(0)
// Now we want the file for events with record id larger than
// this one.
for {
fmt.Printf("Will watch events newer than %v\n", max_record_id)
new_max_record_id := max_record_id
chunks := open_file(fd)
for _, chunk := range chunks {
end_of_chunk := chunk.Header.LastEventRecID
if max_record_id > 0 && end_of_chunk > max_record_id {
spew.Dump(chunk.Header)
records, err := chunk.Parse(int(max_record_id))
if err != nil {
continue
}
// Display the records as json.
for _, i := range records {
serialized, _ := json.MarshalIndent(i.Event, " ", " ")
fmt.Println(string(serialized))
if i.Header.RecordID > new_max_record_id {
new_max_record_id = i.Header.RecordID
}
}
}
}
max_record_id = new_max_record_id
time.Sleep(10 * time.Second)
}
}
func init() {
command_handlers = append(command_handlers, func(command string) bool {
switch command {
case watch.FullCommand():
doWatch()
default:
return false
}
return true
})
}