A library for fast import of Windows NT Registry(REGF) into Elasticsearch.
Project description
reg2es
A library for fast import of Windows NT Registry(REGF) into Elasticsearch.
reg2es uses C library libregf.
Usage
When using from the commandline interface:
$ reg2es /path/to/your/file.DAT
When using from the python-script:
from reg2es import reg2es
if __name__ == '__main__':
filepath = '/path/to/your/file.DAT'
reg2es(filepath)
Arguments
reg2es supports importing from multiple files.
$ reg2es NTUSER.DAT SYSTEM SAM
Also, possible to import recursively from a specific directory.
Note: In this case, the filename will not be checked, please check for unnecessary files before execute.
$ tree .
regfiles/
├── NTUSER.DAT
├── NTUSER.MAN
├── SAM
└── subdirectory/
├── SOFTWARE
└── subsubdirectory/
├── SYSTEM
└── UsrClass.dat
$ reg2es /regfiles/ # The Path is recursively expanded to file1~6.reg.
Options
--version, -v
--help, -h
--quiet, -q
Flag to suppress standard output
(default: False)
--host:
ElasticSearch host address
(default: localhost)
--port:
ElasticSearch port number
(default: 9200)
--index:
Index name of Import destination
(default: reg2es)
--scheme:
Scheme to use (http, or https)
(default: http)
--pipeline
Elasticsearch Ingest Pipeline to use
(default: )
--login:
The login to use if Elastic Security is enable
(default: )
--pwd:
The password linked to the login provided
(default: )
--fields-limit
index.mapping.total_fields.limit settings
(default: 10000)
Examples
When using from the commandline interface:
$ reg2es /path/to/your/file.dat --host=localhost --port=9200 --index=foobar
When using from the python-script:
if __name__ == '__main__':
reg2es('/path/to/your/file.dat', host=localhost, port=9200, index='foobar')
With the Amazon Elasticsearch Serivce (ES):
$ reg2es /path/to/your/file.dat --host=example.us-east-1.es.amazonaws.com --port=443 --scheme=https --index=foobar
With credentials for Elastic Security:
$ reg2es /path/to/your/file.dat --host=localhost --port=9200 --index=foobar --login=elastic --pwd=******
Note: The current version does not verify the certificate.
Appendix
Reg2json
Extra feature. :sushi: :sushi: :sushi:
Convert from Windows NT Registry(REGF) to json file.
$ reg2json /path/to/your/file.DAT /path/to/output/target.json
Convert from Windows NT Registry(REGF) to Python dict object.
from reg2es import reg2json
if __name__ == '__main__':
filepath = '/path/to/your/file.DAT'
result: dict = reg2json(filepath)
Output Format
The structures is not well optimized for searchable with Elasticsearch. I'm waiting for your PR!!
{
"ROOT": {
"AppEvents": {
"meta": {
"last_written_time": "2015-10-30T07:24:57.814133"
},
"EventLabels": {
"meta": {
"last_written_time": "2015-10-30T07:25:51.735838"
},
"Default": {
"meta": {
"last_written_time": "2015-10-30T07:24:57.861009"
},
"_": {
"type": 1,
"identifier": "REG_SZ",
"size": 26,
"data": "Default Beep"
},
"DispFileName": {
"type": 1,
"identifier": "REG_SZ",
"size": 34,
"data": "@mmres.dll,-5824"
}
},
"ActivatingDocument": {
"meta": {
"last_written_time": "2015-10-30T07:24:57.861009"
},
"_": {
"type": 1,
"identifier": "REG_SZ",
"size": 40,
"data": "Complete Navigation"
},
"DispFileName": {
"type": 1,
"identifier": "REG_SZ",
"size": 40,
"data": "@ieframe.dll,-10321"
}
}
...
}
}
}
}
Installation
via PyPI
$ pip install reg2es
Known Issues
elasticsearch.exceptions.RequestError: RequestError(400, 'illegal_argument_exception', 'Limit of total fields [1000] in index [reg2es] has been exceeded')
Windows NT Registry has a large number of elements per document and is caught in the initial value of the limit. Therefore, please use the --fields-limit(default: 10000) option to remove the limit.
$ reg2es --fields-limit 10000 NTUSER.DAT
Contributing
The source code for reg2es is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/reg2es). Please report issues and feature requests. :sushi: :sushi: :sushi:
License
reg2es is released under the MIT License.
Powered by libregf.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file reg2es-1.0.1.tar.gz
.
File metadata
- Download URL: reg2es-1.0.1.tar.gz
- Upload date:
- Size: 10.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.0 Darwin/19.6.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 71a50ca97f68a34cf2980646dc8229bf2def4474d834bf2c302c905b3ce38467 |
|
MD5 | b6441de1681414a617dc59255b963d89 |
|
BLAKE2b-256 | 4b854fd998e7d2bf73a7e4bd82339ad42a144088f2834fae4b8768663551f93c |
File details
Details for the file reg2es-1.0.1-py3-none-any.whl
.
File metadata
- Download URL: reg2es-1.0.1-py3-none-any.whl
- Upload date:
- Size: 10.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.0 Darwin/19.6.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 67b079e5009a678f525ff63537f9d647a3037429446bedad1041698d32dffd2e |
|
MD5 | 78a46bcd2c45275bcde217cc93221b1c |
|
BLAKE2b-256 | efa541d8ba5e6e3517ce606bfd48ac3487ece3cd29142d7c1b38cb9ac7187dd0 |