#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright 2013 The Plaso Project Authors. # Please see the AUTHORS file for details on individual authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Tests for the Windows EventLog (EVT) parser.""" import unittest # pylint: disable=unused-import from plaso.formatters import winevt as winevt_formatter from plaso.lib import eventdata from plaso.lib import timelib_test from plaso.parsers import test_lib from plaso.parsers import winevt class WinEvtParserTest(test_lib.ParserTestCase): """Tests for the Windows EventLog (EVT) parser.""" def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = winevt.WinEvtParser() def testParse(self): """Tests the Parse function.""" test_file = self._GetTestFilePath(['SysEvent.Evt']) event_queue_consumer = self._ParseFile(self._parser, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # Windows Event Log (EVT) information: # Version : 1.1 # Number of records : 6063 # Number of recovered records : 437 # Log type : System self.assertEquals(len(event_objects), (6063 + 437) * 2) # Event number : 1392 # Creation time : Jul 27, 2011 06:41:47 UTC # Written time : Jul 27, 2011 06:41:47 UTC # Event type : Warning event (2) # Computer name : WKS-WINXP32BIT # Source name : LSASRV # Event category : 3 # Event identifier : 0x8000a001 (2147524609) # Number of strings : 2 # String: 1 : cifs/CONTROLLER # String: 2 : "The system detected a possible attempt to compromise # security. Please ensure that you can contact the # server that authenticated you.\r\n (0xc0000388)" event_object = event_objects[1] self.assertEquals(event_object.record_number, 1392) self.assertEquals(event_object.event_type, 2) self.assertEquals(event_object.computer_name, u'WKS-WINXP32BIT') self.assertEquals(event_object.source_name, u'LSASRV') self.assertEquals(event_object.event_category, 3) self.assertEquals(event_object.event_identifier, 40961) self.assertEquals(event_object.strings[0], u'cifs/CONTROLLER') expected_string = ( u'"The system detected a possible attempt to compromise security. ' u'Please ensure that you can contact the server that authenticated you.' u'\r\n (0xc0000388)"') self.assertEquals(event_object.strings[1], expected_string) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-07-27 06:41:47') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals( event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME) event_object = event_objects[1] expected_timestamp = timelib_test.CopyStringToTimestamp( '2011-07-27 06:41:47') self.assertEquals(event_object.timestamp, expected_timestamp) self.assertEquals( event_object.timestamp_desc, eventdata.EventTimestamp.WRITTEN_TIME) expected_msg = ( u'[40961 / 0xa001] ' u'Severity: Warning ' u'Record Number: 1392 ' u'Event Type: Information event ' u'Event Category: 3 ' u'Source Name: LSASRV ' u'Computer Name: WKS-WINXP32BIT ' u'Strings: [u\'cifs/CONTROLLER\', ' u'u\'"The system detected a possible attempt to ' u'compromise security. Please ensure that you can ' u'contact the server that authenticated you.\\r\\n ' u'(0xc0000388)"\']') expected_msg_short = ( u'[40961 / 0xa001] ' u'Strings: [u\'cifs/CONTROLLER\', ' u'u\'"The system detected a possi...') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) if __name__ == '__main__': unittest.main()