:py:mod:`dissect.etl.headers.logfile` ===================================== .. py:module:: dissect.etl.headers.logfile Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.etl.headers.logfile.ReservedFlags dissect.etl.headers.logfile.LogfileHeader Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.etl.headers.logfile.logfile_def .. py:data:: logfile_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }; struct TZInfo { LONG Bias; wchar StandardName[32]; SYSTEMTIME StandardDate; LONG StandardBias; wchar DaylightName[32]; SYSTEMTIME DaylightDate; LONG DaylightBias; }; struct TraceLogfileHeader { uint32 BufferSize; union version_information { uint32 Version; struct VersionDetail { uchar MajorVersion; uchar MinorVersion; uchar SubVersion; uchar SubMinorVersion; }; }; uint32 ProviderVersion; uint32 NumberOfProcessors; uint64 EndTime; uint32 TimerResolution; uint32 MaximumFileSize; uint32 LogFileMode; uint32 BuffersWritten; union { char LogInstanceGuid[16]; struct { uint32 StartBuffers; uint32 PointerSize; uint32 EventsLost; uint32 CpuSpeedInMHz; }; }; PWSTR LoggerName; PWSTR LogFileName; TZInfo TimeZone; uint32 padding; /* The timezone info is said to be 0xB0 bytes... no clue why */ uint64 BootTime; uint64 PerfFreq; uint64 StartTime; uint32 ReservedFlags; uint32 BufferLost; }; struct LogFileNames { wchar LoggerName[]; wchar LogFileName[]; }; """ .. raw:: html
.. py:class:: ReservedFlags Bases: :py:obj:`enum.IntEnum` Enum where members are also (and must be) ints .. py:attribute:: PERFORMANCE_FREQ :value: 1 .. py:attribute:: FILETIME :value: 2 .. py:attribute:: CPU_FREQ :value: 3 .. py:class:: LogfileHeader(calling_header: dissect.etl.headers.system.SystemHeader) The logfile header. It is the payload of the first event in an ETL file. There is also a manifest file that parses this specific header. However, as it is a standard event that is inside every ETL file (and it requires some special handling for timestamp calculation) there is a dedicated parser for it. .. py:property:: header :type: dissect.cstruct.Structure The parsed header of the event. .. py:property:: payload :type: memoryview The payload data for the event. .. py:property:: is_64bit :type: bool .. py:property:: minimal_size :type: int Minimum header size. .. py:property:: cpu_speed_in_MHz :type: int The CPU speed that was recorded inside the logfile header. .. py:property:: perf_freq :type: int The performance frequency used to record the etl file. .. py:property:: start_time :type: int When the etl file started to record. .. py:property:: pointer_size :type: int The size of stringpointers. .. py:property:: end_time :type: int The time the last event was written to the ETL file. .. py:property:: buffers_written :type: int The number of buffers written to the file.