Struct s4lib::readers::evtxreader::EvtxReader

source · 
pub struct EvtxReader { /* private fields */ }
Expand description

A wrapper for using EvtxParser to read a evtx format file.

An EvtxReader presumes the file events are not stored in chronological order.

.evtx files in the wild were found to store events in a non-chronological order, e.g. the XML value at Event.System.TimeCreated are not necessarily in ascending order.
About 2/3 of the files on a long-running Windows 11 system were found to be in this “out of order” state.
More accurately, using evtx_dump to dump a .evtx file displayed events evtx_dump). Either way, that is the underlying library used to read the .evtx files so it’s a problem for this program.
This EvtxReader wrapper sorts the events by timestamp and then by order of enumeration.
Unfortunately, this means the entire file must be read into memory before Events can be further processed and then printed.
Also see Issue #86.

Implementations§

source§

impl<'a> EvtxReader

Implement the EvtxReader.

source

pub fn new(path: FPath, filetype: FileType) -> Result<EvtxReader>

Create a new EvtxReader.

NOTE: should not attempt any file reads here, similar to other *Readers::new()

source

pub fn mtime(&self) -> SystemTime

source

pub fn analyze( &mut self, dt_filter_after: &DateTimeLOpt, dt_filter_before: &DateTimeLOpt )

Read the entire file and store in order.

This should be called once before reading the via next.

source

pub fn next(&mut self) -> Option<Evtx>

source

pub fn count_events_processed(&self) -> Count

Count of Evtxs processed by this EvtxReader (i.e. self.events_processed).

source

pub fn count_events_accepted(&self) -> Count

source

pub const fn path(&self) -> &FPath

source

pub const fn filetype(&self) -> FileType

source

pub const fn filesz(&self) -> FileSz

source

pub fn dt_first_processed(&self) -> DateTimeLOpt

return the DateTimeL of the first Evtx processed

source

pub fn dt_last_processed(&self) -> DateTimeLOpt

return the DateTimeL of the last Evtx processed

source

pub fn dt_first_accepted(&self) -> DateTimeLOpt

return the DateTimeL of the first Evtx accepted by the datetime filters

source

pub fn dt_last_accepted(&self) -> DateTimeLOpt

return the DateTimeL of the last Evtx accepted by the datetime filters

source

pub fn summary(&self) -> SummaryEvtxReader

Return an up-to-date SummaryEvtxReader instance for this EvtxReader.

source

pub fn summary_complete(&self) -> Summary

Return an up-to-date Summary instance for this EvtxReader.

Trait Implementations§

source§

impl<'a> Debug for EvtxReader

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> IntoEither for T

source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

impl<T> Pointable for T

source§

const ALIGN: usize = _

The alignment of pointer.
§

type Init = T

The type for initializers.
source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.