예제 #1
0
func LoadSingleAuditFile(caseinfo nightHawk.CaseInformation, computername string, filename string) int {
	ConsoleMessage("INFO", "Processing single audit file from "+computername, nightHawk.VERBOSE)

	targetdir, auditfile := filepath.Split(filename)

	auditname, _ := AuditGeneratorFromFile(filename)

	data := nightHawk.LoadAuditData(nightHawk.MOD_JSON, computername, caseinfo, targetdir, auditfile)
	rlRecords := data.([]nightHawk.RlJsonRecord)

	SzRlRecord := len(rlRecords)

	cmsg := fmt.Sprintf("Processing %s::%s => %s : %d records\n", computername, auditname, auditfile, SzRlRecord)
	ConsoleMessage("INFO", cmsg, nightHawk.VERBOSE)

	if SzRlRecord > nightHawk.BULKPOST_SIZE {

		/// StartTestBlock
		rCount := SzRlRecord / nightHawk.BULKPOST_SIZE

		var wg sync.WaitGroup

		for i := 0; i < rCount+1; i++ {
			wg.Add(1)
			start := i * nightHawk.BULKPOST_SIZE
			stop := start + nightHawk.BULKPOST_SIZE

			if stop > SzRlRecord {
				stop = SzRlRecord
			}

			go FastUpload(&wg, computername, auditname, start, stop, rlRecords)
		}
		wg.Wait()

	} else {
		var EsRlRecord string
		for _, bdata := range rlRecords {
			EsRlRecord += "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(bdata) + "\n"
		}
		nightHawk.ProcessOutput(computername, auditname, []byte(EsRlRecord))
	}

	// Processing ProcessMemory Tree
	if auditname == "w32processes-memory" {
		msg := fmt.Sprintf("Process %s::%s\n", auditname, auditfile)
		ConsoleMessage("INFO", msg, nightHawk.VERBOSE)
		jsonData := nightHawk.CreateProcessTree(caseinfo, computername, filename)
		esData := "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(jsonData) + "\n"
		nightHawk.ProcessOutput(computername, auditname, []byte(esData))
	}

	return 0
}
예제 #2
0
func GoLoadAudit(rlwg *sync.WaitGroup, computername string, caseinfo nightHawk.CaseInformation, targetDir string, auditfile nightHawk.RlAudit) {
	defer rlwg.Done()

	data := nightHawk.LoadAuditData(nightHawk.MOD_JSON, computername, caseinfo, targetDir, auditfile.AuditFile)
	rlRecords := data.([]nightHawk.RlJsonRecord)

	SzRlRecord := len(rlRecords)

	msg := fmt.Sprintf("Process %s::%s with %d records\n", auditfile.AuditGenerator, auditfile.AuditFile, SzRlRecord)
	ConsoleMessage("INFO", msg, nightHawk.VERBOSE)

	if SzRlRecord > nightHawk.BULKPOST_SIZE {
		rCount := SzRlRecord / nightHawk.BULKPOST_SIZE

		var wg sync.WaitGroup

		for i := 0; i < rCount+1; i++ {
			wg.Add(1)
			start := i * nightHawk.BULKPOST_SIZE
			stop := start + nightHawk.BULKPOST_SIZE

			if stop > SzRlRecord {
				stop = SzRlRecord
			}

			go FastUpload(&wg, computername, auditfile.AuditGenerator, start, stop, rlRecords)
		}
		wg.Wait()
	} else {
		var EsRlRecord string
		for _, bdata := range rlRecords {
			EsRlRecord += "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(bdata) + "\n"
		}
		nightHawk.ProcessOutput(computername, auditfile.AuditGenerator, []byte(EsRlRecord))
	}

	// Processing ProcessMemory Tree
	if auditfile.AuditGenerator == "w32processes-memory" {
		msg = fmt.Sprintf("Process %s::%s\n", nightHawk.PTGenerator, auditfile.AuditFile)
		ConsoleMessage("INFO", msg, nightHawk.VERBOSE)
		jsonData := nightHawk.CreateProcessTree(caseinfo, computername, filepath.Join(targetDir, auditfile.AuditFile))
		esData := "{\"index\":{\"_type\":\"audit_type\", \"_parent\":\"" + computername + "\"}}" + "\n" + string(jsonData) + "\n"
		nightHawk.ProcessOutput(computername, nightHawk.PTGenerator, []byte(esData))
	}

}