func LoadSingleAuditFile(caseinfo nightHawk.CaseInformation, computername string, filename string) int {
ConsoleMessage("INFO", "Processing single audit file from "+computername, nightHawk.VERBOSE)
targetdir, auditfile := filepath.Split(filename)
auditname, _ := AuditGeneratorFromFile(filename)
data := nightHawk.LoadAuditData(nightHawk.MOD_JSON, computername, caseinfo, targetdir, auditfile)
rlRecords := data.([]nightHawk.RlJsonRecord)
SzRlRecord := len(rlRecords)
cmsg := fmt.Sprintf("Processing %s::%s => %s : %d records\n", computername, auditname, auditfile, SzRlRecord)
ConsoleMessage("INFO", cmsg, nightHawk.VERBOSE)
if SzRlRecord > nightHawk.BULKPOST_SIZE {
/// StartTestBlock
rCount := SzRlRecord / nightHawk.BULKPOST_SIZE
var wg sync.WaitGroup
for i := 0; i < rCount+1; i++ {
wg.Add(1)
start := i * nightHawk.BULKPOST_SIZE
stop := start + nightHawk.BULKPOST_SIZE
if stop > SzRlRecord {
stop = SzRlRecord
}
go FastUpload(&wg, computername, auditname, start, stop, rlRecords)
}
wg.Wait()
} else {
var EsRlRecord string
for _, bdata := range rlRecords {
EsRlRecord += "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(bdata) + "\n"
}
nightHawk.ProcessOutput(computername, auditname, []byte(EsRlRecord))
}
// Processing ProcessMemory Tree
if auditname == "w32processes-memory" {
msg := fmt.Sprintf("Process %s::%s\n", auditname, auditfile)
ConsoleMessage("INFO", msg, nightHawk.VERBOSE)
jsonData := nightHawk.CreateProcessTree(caseinfo, computername, filename)
esData := "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(jsonData) + "\n"
nightHawk.ProcessOutput(computername, auditname, []byte(esData))
}
return 0
}
func GoLoadAudit(rlwg *sync.WaitGroup, computername string, caseinfo nightHawk.CaseInformation, targetDir string, auditfile nightHawk.RlAudit) {
defer rlwg.Done()
data := nightHawk.LoadAuditData(nightHawk.MOD_JSON, computername, caseinfo, targetDir, auditfile.AuditFile)
rlRecords := data.([]nightHawk.RlJsonRecord)
SzRlRecord := len(rlRecords)
msg := fmt.Sprintf("Process %s::%s with %d records\n", auditfile.AuditGenerator, auditfile.AuditFile, SzRlRecord)
ConsoleMessage("INFO", msg, nightHawk.VERBOSE)
if SzRlRecord > nightHawk.BULKPOST_SIZE {
rCount := SzRlRecord / nightHawk.BULKPOST_SIZE
var wg sync.WaitGroup
for i := 0; i < rCount+1; i++ {
wg.Add(1)
start := i * nightHawk.BULKPOST_SIZE
stop := start + nightHawk.BULKPOST_SIZE
if stop > SzRlRecord {
stop = SzRlRecord
}
go FastUpload(&wg, computername, auditfile.AuditGenerator, start, stop, rlRecords)
}
wg.Wait()
} else {
var EsRlRecord string
for _, bdata := range rlRecords {
EsRlRecord += "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(bdata) + "\n"
}
nightHawk.ProcessOutput(computername, auditfile.AuditGenerator, []byte(EsRlRecord))
}
// Processing ProcessMemory Tree
if auditfile.AuditGenerator == "w32processes-memory" {
msg = fmt.Sprintf("Process %s::%s\n", nightHawk.PTGenerator, auditfile.AuditFile)
ConsoleMessage("INFO", msg, nightHawk.VERBOSE)
jsonData := nightHawk.CreateProcessTree(caseinfo, computername, filepath.Join(targetDir, auditfile.AuditFile))
esData := "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(jsonData) + "\n"
nightHawk.ProcessOutput(computername, nightHawk.PTGenerator, []byte(esData))
}
}