Changes to handling message file resource paths log2timeline#4259

joachimmetz · Dec 31, 2023 · 13f7a99 · 13f7a99
1 parent 122f47c
commit 13f7a99
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/plaso/formatters/winevt.py b/plaso/formatters/winevt.py
@@ -36,18 +36,23 @@ def FormatEventValues(self, output_mediator, event_values):
       message_string_template = self._winevt_resources_helper.GetMessageString(
           provider_identifier, source_name, message_identifier, event_version)
       if message_string_template:
-        string_values = [
-            string or '' for string in event_values.get('strings', [])]
+        string_values = []
+        for string_value in event_values.get('strings', []):
+          if string_value is None:
+            string_value = ''
+
+          string_values.append(string_value)
 
         try:
           message_string = message_string_template.format(*string_values)
         except (IndexError, TypeError) as exception:
+          provider_identifier = provider_identifier or ''
+          strings = ', '.join(string_values)
           logger.error((
-              'Unable to format message: 0x{0:08x} of provider: {1:s} '
-              'template: "{2:s}" and strings: "{3:s}" with error: '
-              '{4!s}').format(
-                  message_identifier, provider_identifier or '',
-                  message_string_template, ', '.join(string_values), exception))
+              f'Unable to format message: 0x{message_identifier:08x} of '
+              f'provider: {provider_identifier:s} template: '
+              f'"{message_string_template:s}" and strings: "{strings:s}" '
+              f'with error: {exception!s}'))
           # Unable to create the message string.
           # TODO: consider returning the unformatted message string.
 

diff --git a/plaso/output/winevt_rc.py b/plaso/output/winevt_rc.py
@@ -594,7 +594,7 @@ def _ReadWindowsEventLogMessageString(
     if not message_file_identifiers:
       logger.warning((
           f'No message file for message: 0x{message_identifier:08x} '
-          f'(0x{original_message_identifier:08x}) '
+          f'(original: 0x{original_message_identifier:08x}) '
           f'of provider: {lookup_key:s}'))
       return None
 
@@ -615,7 +615,7 @@ def _ReadWindowsEventLogMessageString(
     if not message_strings:
       logger.warning((
           f'No message string for message: 0x{message_identifier:08x} '
-          f'(0x{original_message_identifier:08x}) '
+          f'(original: 0x{original_message_identifier:08x}) '
           f'of provider: {lookup_key:s}'))
       return None