# -*- coding: utf-8 -*-
"""An output module that saves events to Elasticsearch."""
from __future__ import unicode_literals
from plaso.output import logger
from plaso.output import manager
from plaso.output import shared_elastic
[docs]class ElasticsearchOutputModule(shared_elastic.SharedElasticsearchOutputModule):
"""Output module for Elasticsearch."""
NAME = 'elastic'
DESCRIPTION = 'Saves the events into an Elasticsearch database.'
# Strings longer than this will not be analyzed by elasticsearch.
_ELASTIC_ANALYZER_STRING_LIMIT = 10922
def __init__(self, output_mediator):
"""Initializes an Elasticsearch output module.
Args:
output_mediator (OutputMediator): mediates interactions between output
modules and other components, such as storage and dfvfs.
"""
super(ElasticsearchOutputModule, self).__init__(output_mediator)
self._raw_fields = False
[docs] def SetRawFields(self, raw_fields):
"""Set raw (non-analyzed) fields.
This is used for sorting and aggregations in Elasticsearch.
https://www.elastic.co/guide/en/elasticsearch/guide/current/
multi-fields.html
Args:
raw_fields (bool): True if raw (non-analyzed) fields should be added.
"""
self._raw_fields = raw_fields
if raw_fields:
logger.debug('Elasticsearch adding raw (non-analyzed) fields.')
else:
logger.debug('Elasticsearch not adding raw (non-analyzed) fields.')
manager.OutputManager.RegisterOutput(
ElasticsearchOutputModule, disabled=shared_elastic.elasticsearch is None)