Add: afterfact.rs for emit csv file

src/afterfact.rs

@@ -0,0 +1,31 @@
+use crate::detections::configs;
+use crate::detections::print;
+use chrono::{DateTime, TimeZone, Utc};
+use serde::Serialize;
+use std::error::Error;
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct CsvFormat<'a> {
+    time: DateTime<Utc>,
+    message: &'a str,
+}
+
+pub fn after_fact() -> Result<(), Box<dyn Error>> {
+    if let Some(csv_path) = configs::singleton().args.value_of("csv-timeline") {
+        let mut wtr = csv::Writer::from_path(csv_path)?;
+        let messages = print::MESSAGES.lock().unwrap();
+
+        for (time, texts) in messages.iter() {
+            for text in texts {
+                wtr.serialize(CsvFormat {
+                    time: *time,
+                    message: text,
+                })?;
+            }
+        }
+        wtr.flush()?;
+    }
+
+    Ok(())
+}

src/detections/print.rs

@@ -45,6 +45,10 @@ impl Message {
     pub fn debug(&self) {
         println!("{:?}", self.map);
     }
+
+    pub fn iter(&self) -> &BTreeMap<DateTime<Utc>, Vec<String>> {
+        &self.map
+    }
 }
 
 #[test]

src/lib.rs

@@ -1,3 +1,4 @@
+pub mod afterfact;
 pub mod detections;
 pub mod models;
 pub mod omikuji;

src/main.rs

@@ -1,8 +1,11 @@
 extern crate serde;
+#[macro_use]
+extern crate serde_derive;
 
 use evtx::EvtxParser;
 use quick_xml::de::DeError;
 use std::{fs, path::PathBuf, process};
+use yamato_event_analyzer::afterfact::after_fact;
 use yamato_event_analyzer::detections::configs;
 use yamato_event_analyzer::detections::detection;
 use yamato_event_analyzer::omikuji::Omikuji;
@@ -17,6 +20,10 @@ fn main() -> Result<(), DeError> {
         parse_file(&filepath);
     }
 
+    if let Err(err) = after_fact() {
+        println!("{}", err);
+    }
+
     Ok(())
 }