plaso.parsers.syslog_plugins package

Submodules

plaso.parsers.syslog_plugins.cron module

This file contains a plugin for cron syslog entries.

class plaso.parsers.syslog_plugins.cron.CronSyslogPlugin[source]

Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A syslog plugin for parsing cron messages.

DATA_FORMAT = 'Cron syslog line'
MESSAGE_GRAMMARS = [('task_run', {{{{{{{"(" W:(ABCD...)} ")"} "CMD"} "("} Combine:(SkipTo:({")" StringEnd}))} ")"} StringEnd})]
NAME = 'cron'
ParseMessage(parser_mediator, key, date_time, tokens)[source]

Parses a syslog body that matched one of defined grammars.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • key (str) – name of the matching grammar.

  • date_time (dfdatetime.DateTimeValues) – date and time values.

  • tokens (dict[str, str]) – tokens derived from a syslog message based on the defined grammar.

Raises

ValueError – If an unknown key is provided.

REPORTER = 'CRON'
class plaso.parsers.syslog_plugins.cron.CronTaskRunEventData[source]

Bases: plaso.parsers.syslog.SyslogLineEventData

Cron task run event data.

command

command executed.

Type

str

username

name of user the command was executed.

Type

str

DATA_TYPE = 'syslog:cron:task_run'

plaso.parsers.syslog_plugins.interface module

This file contains the interface for syslog plugins.

class plaso.parsers.syslog_plugins.interface.SyslogPlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

The interface for syslog plugins.

DATA_FORMAT = 'Syslog file'
MESSAGE_GRAMMARS = []
NAME = 'syslog_plugin'
abstract ParseMessage(parser_mediator, key, date_time, tokens)[source]

Parses a syslog body that matched one of the grammars the plugin defined.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • key (str) – name of the parsed structure.

  • date_time (dfdatetime.DateTimeValues) – date and time values.

  • tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.

Process(parser_mediator, date_time, syslog_tokens, **kwargs)[source]

Processes the data structure produced by the parser.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • date_time (dfdatetime.DateTimeValues) – date and time values.

  • syslog_tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.

Raises

  • AttributeError – If the syslog_tokens do not include a ‘body’ attribute.

  • WrongPlugin – If the plugin is unable to parse the syslog tokens.

REPORTER = ''

plaso.parsers.syslog_plugins.ssh module

This file contains a plugin for SSH syslog entries.

class plaso.parsers.syslog_plugins.ssh.SSHEventData[source]

Bases: plaso.parsers.syslog.SyslogLineEventData

SSH event data.

address

IP address.

Type

str

authentication_method

authentication method.

Type

str

fingerprint

fingerprint.

Type

str

port

port.

Type

str

protocol

protocol.

Type

str

username

name of user the command was executed.

Type

str

class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData[source]

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH failed connection event data.

DATA_TYPE = 'syslog:ssh:failed_connection'
class plaso.parsers.syslog_plugins.ssh.SSHLoginEventData[source]

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH login event data.

DATA_TYPE = 'syslog:ssh:login'
class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData[source]

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH opened connection event data.

DATA_TYPE = 'syslog:ssh:opened_connection'
class plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin[source]

Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A plugin for creating events from syslog message produced by SSH.

DATA_FORMAT = 'SSH syslog line'
MESSAGE_GRAMMARS = [('login', {{{{{{{{{{"Accepted" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} "ssh2"} [{":" Combine:({"RSA " W:(:012...)})}]} StringEnd}), ('failed_connection', {{{{{{{{"Failed" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {IPv4 address | IPv6 address}} "port"} W:(0123...)} StringEnd}), ('opened_connection', {{{{"Connection from" {IPv4 address | IPv6 address}} "port"} W:(0123...)} LineEnd})]
NAME = 'ssh'
ParseMessage(parser_mediator, key, date_time, tokens)[source]

Produces an event from a syslog body that matched one of the grammars.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • key (str) – name of the matching grammar.

  • date_time (dfdatetime.DateTimeValues) – date and time values.

  • tokens (dict[str, str]) – tokens derived from a syslog message based on the defined grammar.

Raises

ValueError – If an unknown key is provided.

REPORTER = 'sshd'

Module contents

Imports for the syslog parser.