:py:mod:`dissect.target.plugins.os.windows.log.evt`
===================================================

.. py:module:: dissect.target.plugins.os.windows.log.evt


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin
   dissect.target.plugins.os.windows.log.evt.EvtPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.log.evt.re_illegal_characters
   dissect.target.plugins.os.windows.log.evt.EvtRecordDescriptor
   dissect.target.plugins.os.windows.log.evt.EVT_GLOB


.. py:data:: re_illegal_characters

   

.. py:data:: EvtRecordDescriptor

   

.. py:data:: EVT_GLOB
   :value: '*.evt'

   

.. py:class:: WindowsEventlogsMixin


   .. py:attribute:: EVENTLOG_REGISTRY_KEY
      :value: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog'

      

   .. py:attribute:: LOGS_DIR_PATH

      

   .. py:method:: get_logs(filename_glob='*') -> List[pathlib.Path]


   .. py:method:: get_logs_from_dir(logs_dir: str, filename_glob: str = '*') -> List[pathlib.Path]


   .. py:method:: get_logs_from_registry(filename_glob: str = '*') -> List[pathlib.Path]


   .. py:method:: check_compatible() -> None



.. py:class:: EvtPlugin(target: dissect.target.Target)


   Bases: :py:obj:`WindowsEventlogsMixin`, :py:obj:`dissect.target.plugin.Plugin`

   Base class for plugins.

   Plugins can optionally be namespaced by specifying the ``__namespace__``
   class attribute. Namespacing results in your plugin needing to be prefixed
   with this namespace when being called. For example, if your plugin has
   specified ``test`` as namespace and a function called ``example``, you must
   call your plugin with ``test.example``::

   A ``Plugin`` class has the following private class attributes:

   - ``__namespace__``
   - ``__record_descriptors__``

   With the following three being assigned in :func:`register`:

   - ``__plugin__``
   - ``__functions__``
   - ``__exports__``

   Additionally, the methods and attributes of :class:`Plugin` receive more private attributes
   by using decorators.

   The :func:`export` decorator adds the following private attributes

   - ``__exported__``
   - ``__output__``: Set with the :func:`export` decorator.
   - ``__record__``: Set with the :func:`export` decorator.

   The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute.
   Finally. :func:`args` decorator sets the ``__args__`` attribute.

   :param target: The :class:`~dissect.target.target.Target` object to load the plugin for.

   .. py:attribute:: LOGS_DIR_PATH
      :value: 'sysvol/windows/system32/config'

      

   .. py:attribute:: NEEDLE
      :value: b'LfLe'

      

   .. py:attribute:: CHUNK_SIZE
      :value: 65536

      

   .. py:method:: evt(log_file_glob: str = EVT_GLOB, logs_dir: Optional[str] = None) -> Generator[flow.record.Record, None, None]

      Parse Windows Eventlog files (*.evt).

      Yields dynamically created records based on the fields in the event.
      At least contains the following fields:
          hostname (string): The target hostname.
          domain (string): The target domain.
          ts (datetime): The TimeCreated_SystemTime field of the event.
          Provider_Name (string): The Provider_Name field of the event.
          EventID (int): The EventID of the event.


   .. py:method:: scraped_evt() -> Generator[flow.record.Record, None, None]

      Yields EVT log file records scraped from target disks