plaso.parsers.syslog_plugins package¶
Submodules¶
plaso.parsers.syslog_plugins.cron module¶
This file contains a plugin for cron syslog entries.
- class plaso.parsers.syslog_plugins.cron.CronSyslogPlugin[source]¶
Bases:
plaso.parsers.syslog_plugins.interface.SyslogPluginA syslog plugin for parsing cron messages.
- DATA_FORMAT = 'Cron syslog line'¶
- MESSAGE_GRAMMARS = [('task_run', {{{{{{{"(" W:(ABCD...)} ")"} "CMD"} "("} Combine:(SkipTo:({")" StringEnd}))} ")"} StringEnd})]¶
- NAME = 'cron'¶
- REPORTER = 'CRON'¶
plaso.parsers.syslog_plugins.interface module¶
This file contains the interface for syslog plugins.
- class plaso.parsers.syslog_plugins.interface.SyslogPlugin[source]¶
Bases:
plaso.parsers.plugins.BasePluginThe interface for syslog plugins.
- DATA_FORMAT = 'Syslog file'¶
- MESSAGE_GRAMMARS = []¶
- NAME = 'syslog_plugin'¶
- Process(parser_mediator, date_time, syslog_tokens, **kwargs)[source]¶
Processes the data structure produced by the parser.
- Parameters
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
date_time (dfdatetime.DateTimeValues) – date and time values.
syslog_tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.
- Raises
AttributeError – If the syslog_tokens do not include a ‘body’ attribute.
WrongPlugin – If the plugin is unable to parse the syslog tokens.
- REPORTER = ''¶
plaso.parsers.syslog_plugins.ssh module¶
This file contains a plugin for SSH syslog entries.
- class plaso.parsers.syslog_plugins.ssh.SSHEventData[source]¶
Bases:
plaso.parsers.syslog.SyslogLineEventDataSSH event data.
- address¶
IP address.
- Type
str
- authentication_method¶
authentication method.
- Type
str
- fingerprint¶
fingerprint.
- Type
str
- port¶
port.
- Type
str
- protocol¶
protocol.
- Type
str
- username¶
name of user the command was executed.
- Type
str
- class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData[source]¶
Bases:
plaso.parsers.syslog_plugins.ssh.SSHEventDataSSH failed connection event data.
- DATA_TYPE = 'syslog:ssh:failed_connection'¶
- class plaso.parsers.syslog_plugins.ssh.SSHLoginEventData[source]¶
Bases:
plaso.parsers.syslog_plugins.ssh.SSHEventDataSSH login event data.
- DATA_TYPE = 'syslog:ssh:login'¶
- class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData[source]¶
Bases:
plaso.parsers.syslog_plugins.ssh.SSHEventDataSSH opened connection event data.
- DATA_TYPE = 'syslog:ssh:opened_connection'¶
- class plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin[source]¶
Bases:
plaso.parsers.syslog_plugins.interface.SyslogPluginA plugin for creating events from syslog message produced by SSH.
- DATA_FORMAT = 'SSH syslog line'¶
- MESSAGE_GRAMMARS = [('login', {{{{{{{{{{"Accepted" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} "ssh2"} [{":" Combine:({"RSA " W:(:012...)})}]} StringEnd}), ('failed_connection', {{{{{{{{"Failed" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} StringEnd}), ('opened_connection', {{{{"Connection from" {IPv4 address | IPv6 address}} "port"} W:(0123...)} LineEnd})]¶
- NAME = 'ssh'¶
- REPORTER = 'sshd'¶
Module contents¶
Imports for the syslog parser.