plaso.parsers.syslog_plugins package
Submodules
plaso.parsers.syslog_plugins.cron module
This file contains a plugin for cron syslog entries.
- class plaso.parsers.syslog_plugins.cron.CronSyslogPlugin[source]
Bases:
plaso.parsers.syslog_plugins.interface.SyslogPluginA syslog plugin for parsing cron messages.
- DATA_FORMAT = 'Cron syslog line'
- MESSAGE_GRAMMARS = [('task_run', {{{{{{{'(' W:(0-9A-Za-z)} ')'} 'CMD'} '('} Combine:(SkipTo:({')' StringEnd}))} ')'} StringEnd})]
- NAME = 'cron'
- REPORTER = 'CRON'
plaso.parsers.syslog_plugins.interface module
This file contains the interface for syslog plugins.
- class plaso.parsers.syslog_plugins.interface.SyslogPlugin[source]
Bases:
plaso.parsers.plugins.BasePluginThe interface for syslog plugins.
- DATA_FORMAT = 'Syslog file'
- MESSAGE_GRAMMARS = []
- NAME = 'syslog_plugin'
- Process(parser_mediator, date_time, syslog_tokens, **kwargs)[source]
Processes the data structure produced by the parser.
- Parameters
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
date_time (dfdatetime.DateTimeValues) – date and time values.
syslog_tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.
- Raises
AttributeError – If the syslog_tokens do not include a ‘body’ attribute.
WrongPlugin – If the plugin is unable to parse the syslog tokens.
- REPORTER = ''
plaso.parsers.syslog_plugins.ssh module
This file contains a plugin for SSH syslog entries.
- class plaso.parsers.syslog_plugins.ssh.SSHEventData[source]
Bases:
plaso.parsers.syslog.SyslogLineEventDataSSH event data.
- address
IP address.
- Type
str
- authentication_method
authentication method.
- Type
str
- fingerprint
fingerprint.
- Type
str
- port
port.
- Type
str
- protocol
protocol.
- Type
str
- username
name of user the command was executed.
- Type
str
- class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData[source]
Bases:
plaso.parsers.syslog_plugins.ssh.SSHEventDataSSH failed connection event data.
- DATA_TYPE = 'syslog:ssh:failed_connection'
- class plaso.parsers.syslog_plugins.ssh.SSHLoginEventData[source]
Bases:
plaso.parsers.syslog_plugins.ssh.SSHEventDataSSH login event data.
- DATA_TYPE = 'syslog:ssh:login'
- class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData[source]
Bases:
plaso.parsers.syslog_plugins.ssh.SSHEventDataSSH opened connection event data.
- DATA_TYPE = 'syslog:ssh:opened_connection'
- class plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin[source]
Bases:
plaso.parsers.syslog_plugins.interface.SyslogPluginA plugin for creating events from syslog message produced by SSH.
- DATA_FORMAT = 'SSH syslog line'
- MESSAGE_GRAMMARS = [('login', {{{{{{{{'Accepted' {'password' | 'publickey'}} 'for'} W:(0-9A-Za-z)} 'from'} {IPv4 address | IPv6 address} 'port'} W:(0-9){1,5} 'ssh2'} [':' Combine:({'RSA ' W:(0-:A-Fa-f)})]} StringEnd}), ('failed_connection', {{{{{{'Failed' {'password' | 'publickey'}} 'for'} W:(0-9A-Za-z)} 'from'} {IPv4 address | IPv6 address} 'port'} W:(0-9){1,5} StringEnd}), ('opened_connection', {{{'Connection from' {IPv4 address | IPv6 address}} 'port'} W:(0-9){1,5} LineEnd})]
- NAME = 'ssh'
- REPORTER = 'sshd'
Module contents
Imports for the syslog parser.