Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  LOG2T::INPUT::EVT (3)

.ds Aq ’


structure - an input module log2timeline that parses Windows 2000/XP/2003 Event Log files.



  my $format = structure;
  require $format_dir . / . $format . ".pl" ;

  $format->verify( $log_file );
  $format->prepare_file( $log_file, @ARGV )

        $line = $format->load_line()

  $t_line = $format->parse_line();



An input module that parses the Windows Event Log files. This input module is mostly based on the script, originally written by H. Carvey, and is part of his timeline toolkit.


get_version() Return the version number of the input module
get_description() Returns a string that contains a short description of the functionality if the input module. When a list of all available input modules is printed using <B>log2timelineB> this string is used. So this string should be a very short description, mostly to say which type of log file/artifact/directory this input module is designed to parse.
prepare_file( $file, @ARGV ) The purpose of this subfunction is to prepare the log file or artifact for parsing. Usually this involves just opening the file (if plain text) or otherwise building a structure that can be used by other functions.

This function accepts the path to the log file/directory/artifact to parse as well as an array containing the parameters passed to the input module. These parameters are used to adjust settings of the input module, such as to provide a username and a hostname to include in the timeline.

The function returns an integer indicating whether or not it was successful at preparing the input file/directory/artifact for further processing.

load_line() This function starts by checking if there are any lines in the log file/artifacts that have a date variable inside that needs to be parsed. It then loads the line (or an index value) in a global variable that can be read by the function parse_line and returns the value 1 to the main script, indicating that a line has been loaded.

When all of the lines in the log file/directory/artifact have been parsed a zero is returned to the main script, indicating that there are no more lines to parse

close_file() A subroutine that closes the file, after it has been parsed and performs any additional operations needed to close the file/directory/artifact that was parsed (such as to disconnect any database connections)

The subroutine returns an integer indicating whether or not it was successful at closing the file.

parse_line() This is the main subroutine of the format file (or often it is). It depends on the subroutine load_line that loads a line of the log file into a global variable and then parses that line to produce the hash t_line, which is read and sent to the output modules by the main script to produce a timeline or a bodyfile.

The content of the hash t_line is the following:

  %t_line {
    md5,    # MD5 sum of the file
    name,    # the main text that appears in the timeline
    title,    # short description used by some output modules
    source,    # the source of the timeline, usually the same name or similar to the name of the package
    user,    # the username that owns the file or produced the artifact
    host,    # the hostname that the file belongs to
    inode,    # the inode number of the file that contains the artifact
    mode,    # the access rights of the file
    uid,    # the UID of the user that owns the file/artifact
    gid,    # the GID of the user that owns the file/artifact
    size,    # the size of the file/artifact
    atime,    # Time in epoch representing the last ACCESS time
    mtime,    # Time in epoch representing the last MODIFICATION time
    ctime,    # Time in epoch representing the CREATION time (or MFT/INODE modification time)
    crtime    # Time in epoch representing the CREATION time

The subroutine return a reference to the hash (t_line) that will be used by the main script (<B>log2timelineB>) to produce the actual timeline. The hash is processed by the main script before forwarding it to an output module for the actual printing of a bodyfile.

get_help() A simple subroutine that returns a string containing the help message for this particular input module. This also contains a longer description of the input module describing each parameter that can be passed to the subroutine. It sometimes contains a list of all dependencies and possibly some instruction on how to install them on the system to make it easier to implement the input module.
verify( $log_file ) This subroutine takes as an argument the file name to be parsed (file/dir/artifact) and verifies it’s structure to determine if it is really of the correct format.

This is needed since there is no need to try to parse the file/directory/artifact if the input module is unable to parse it (if it is not designed to parse it)

It is also important to validate the file since the scanner function will try to parse every file it finds, and uses this verify function to determine whether or not a particular file/dir/artifact is supported or not. It is therefore very important to implement this function and make it verify the file structure without false positives and without taking too long time

This subroutine returns a reference to a hash that contains two values
success An integer indicating whether not the input module is able to parse the file/directory/artifact
msg A message indicating the reason why the input module was not able to parse the file/directory/artifact


Kristinn Gudjonsson <kristinn (a t) log2timeline ( d o t ) net> is the original author of the program. This input module came however mostly from H. Carvey’s Perl script that is a part of his timeline toolkit and is available through the win4n6 yahoo group.


The tool is released under GPL so anyone can contribute to the tool. Copyright 2009.


Search for    or go to Top of page |  Section 3 |  Main Index

perl v5.20.3 LOG2T::INPUT::EVT (3) 2012-05-22

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.