:py:mod:`dissect.eventlog.evt`
==============================

.. py:module:: dissect.eventlog.evt




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.eventlog.evt.Record
   dissect.eventlog.evt.Evt



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.eventlog.evt.find_needle
   dissect.eventlog.evt.parse_record
   dissect.eventlog.evt.reprsid
   dissect.eventlog.evt.is_eof_record
   dissect.eventlog.evt.is_header_record
   dissect.eventlog.evt.parse_chunk



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.eventlog.evt.evt_def
   dissect.eventlog.evt.c_evt
   dissect.eventlog.evt.EVENTLOGRECORD_SIZE
   dissect.eventlog.evt.BLOCK_SIZE
   dissect.eventlog.evt.DIRTY_NEEDLE


.. py:data:: evt_def
   :value: Multiline-String

   .. raw:: html

      <details><summary>Show Value</summary>

   .. code-block:: python

      """
      #define ELF_LOGFILE_HEADER_DIRTY    0x0001
      #define ELF_LOGFILE_HEADER_WRAP     0x0002
      #define ELF_LOGFILE_LOGFULL_WRITTEN 0x0004
      #define ELF_LOGFILE_ARCHIVE_SET     0x0008
      
      typedef struct _EVENTLOGHEADER {
          ULONG   HeaderSize;
          char    Signature[4];
          ULONG   MajorVersion;
          ULONG   MinorVersion;
          ULONG   StartOffset;
          ULONG   EndOffset;
          ULONG   CurrentRecordNumber;
          ULONG   OldestRecordNumber;
          ULONG   MaxSize;
          ULONG   Flags;
          ULONG   Retention;
          ULONG   EndHeaderSize;
      } EVENTLOGHEADER;
      
      typedef struct _EVENTLOGRECORD {
          DWORD   Length;
          DWORD   Reserved;
          DWORD   RecordNumber;
          DWORD   TimeGenerated;
          DWORD   TimeWritten;
          DWORD   EventID;
          WORD    EventType;
          WORD    NumStrings;
          WORD    EventCategory;
          WORD    ReservedFlags;
          DWORD   ClosingRecordNumber;
          DWORD   StringOffset;
          DWORD   UserSidLength;
          DWORD   UserSidOffset;
          DWORD   DataLength;
          DWORD   DataOffset;
      } EVENTLOGRECORD;
      
      typedef struct _EVENTLOGEOF {
          ULONG   RecordSizeBeginning;
          ULONG   One;
          ULONG   Two;
          ULONG   Three;
          ULONG   Four;
          ULONG   BeginRecord;
          ULONG   EndRecord;
          ULONG   CurrentRecordNumber;
          ULONG   OldestRecordNumber;
          ULONG   RecordSizeEnd;
      } EVENTLOGEOF;
      """

   .. raw:: html

      </details>



.. py:data:: c_evt

.. py:data:: EVENTLOGRECORD_SIZE

.. py:class:: Record

   Bases: :py:obj:`tuple`


   .. py:attribute:: RecordNumber


   .. py:attribute:: TimeGenerated


   .. py:attribute:: TimeWritten


   .. py:attribute:: EventID


   .. py:attribute:: EventCode


   .. py:attribute:: EventFacility


   .. py:attribute:: EventCustomerFlag


   .. py:attribute:: EventSeverity


   .. py:attribute:: EventType


   .. py:attribute:: EventCategory


   .. py:attribute:: SourceName


   .. py:attribute:: Computername


   .. py:attribute:: UserSid


   .. py:attribute:: Strings


   .. py:attribute:: Data


   .. py:attribute:: record


.. py:data:: BLOCK_SIZE
   :value: 4096


.. py:data:: DIRTY_NEEDLE
   :value: b'(\x00\x00\x00\x11\x11\x11\x11""""3333DDDD'


.. py:class:: Evt(fh)

   Windows Event files for WinOS up until Windows XP


   .. py:attribute:: fh


   .. py:attribute:: header


   .. py:attribute:: start_offset


   .. py:attribute:: end_offset


   .. py:attribute:: current_record_number


   .. py:attribute:: oldest_record_number


   .. py:attribute:: flags


   .. py:method:: __iter__()


.. py:function:: find_needle(fh, needle)

.. py:function:: parse_record(record, buf)

.. py:function:: reprsid(s)

.. py:function:: is_eof_record(record)

.. py:function:: is_header_record(record)

.. py:function:: parse_chunk(chunk)

   Requires a chunk that starts with EVENTLOGRECORD header