SecureArtisan

My Road to Digital Forensics Excellence

Parsing Log Records

Posted by Paul Bobby on August 30, 2010

Although I like to use Log Records (they can contain more data than a bookmark), creating reports from them is problematic. I have a Yahoo Chat log parser that creates Log Records from chat logs, but of course producing a report was an issue. The following code snippet illustrates a simple loop through the Log Record structure based on selecting a parent bookmark.

       forall (BookmarkClass b in c.BookmarkRoot()) {
        if (b.IsSelected()) {
         if (b.BookmarkType() == "Log Record") {
           LogRecordClass recs();
           if (b.GetDataRoot(recs)) {
             forall (LogRecordClass rec in recs) {
               CLog.Debug(rec.Name()+","+rec.Created().GetString()+","+rec.Comment());
               local.WriteLine(rec.Name()+","+rec.Created().GetString()+","+rec.Comment());
        }}}}}

The key is the line “b.GetDataRoot(recs)” which returns TRUE if the bookmark is of type LogRecordClass. Once in the forall loop, you can do whatever you want with the Log Record data.

What is strange is that ‘recs’ is not initialized, and yet when it is used in the GetDataRoot() method, it has a value and can be iterated against. There’s probably a OOP reason for this, but bally if I know.

Advertisements

2 Responses to “Parsing Log Records”

  1. A. Thulin said

    Not sure I understand the problem, but ‘recs’ *is* initialized by the call to b.GetDataRoot(recs), isn’t it? — if GetDataRoot() returns ‘true’, the parameter (recs) has been replaced (?) with an object of the identified type, LogRecordClass.

    The help file is not as clear on details as I would like to see — it’s probably written by someone who don’t have to make sense of it or apply the information in it for real-life situation –, but from the examples given, and the parameter passing method (&), it seems to be a reasonable explanation.

  2. Paul Bobby said

    Hey Anders, thanks for the comment.

    Yeah I’m not the uber OOP programmer that I would like to be, and so passing in an object as a parameter I can understand, but then having that object point to exactly what I need without the usual ‘return’ seems like some sort of magical fu to me 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: