plaso.parsers.syslog_plugins package

Submodules

plaso.parsers.syslog_plugins.cron module

This file contains a plugin for cron syslog entries.

class plaso.parsers.syslog_plugins.cron.CronSyslogPlugin[source]

Bases: SyslogPlugin

A syslog plugin for parsing cron messages.

DATA_FORMAT = 'Cron syslog line'

MESSAGE_GRAMMARS = [('task_run', {{{{{{{'(' W:(0-9A-Za-z)} ')'} 'CMD'} '('} Combine:(SkipTo:({')' StringEnd}))} ')'} StringEnd})]

NAME = 'cron'

REPORTER = 'CRON'

class plaso.parsers.syslog_plugins.cron.CronTaskRunEventData[source]

Bases: SyslogLineEventData

Cron task run event data.

command

command executed.

Type: str

username

name of user the command was executed.

Type: str

DATA_TYPE = 'syslog:cron:task_run'

plaso.parsers.syslog_plugins.interface module

This file contains the interface for syslog plugins.

class plaso.parsers.syslog_plugins.interface.SyslogPlugin[source]

Bases: BasePlugin

The interface for syslog plugins.

DATA_FORMAT = 'Syslog file'

MESSAGE_GRAMMARS = []

NAME = 'syslog_plugin'

Process(parser_mediator, date_time, syslog_tokens, **kwargs)[source]

Processes the data structure produced by the parser.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
date_time (dfdatetime.DateTimeValues) – date and time values.
syslog_tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.

Raises

AttributeError – If the syslog_tokens do not include a ‘body’ attribute.
WrongPlugin – If the plugin is unable to parse the syslog tokens.

REPORTER = ''

plaso.parsers.syslog_plugins.ssh module

This file contains a plugin for SSH syslog entries.

class plaso.parsers.syslog_plugins.ssh.SSHEventData[source]

Bases: SyslogLineEventData

SSH event data.

address

IP address.

Type: str

authentication_method

authentication method.

Type: str

fingerprint

fingerprint.

Type: str

port

port.

Type: str

protocol

protocol.

Type: str

username

name of user the command was executed.

Type: str

class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData[source]

Bases: SSHEventData

SSH failed connection event data.

DATA_TYPE = 'syslog:ssh:failed_connection'

class plaso.parsers.syslog_plugins.ssh.SSHLoginEventData[source]

Bases: SSHEventData

SSH login event data.

DATA_TYPE = 'syslog:ssh:login'

class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData[source]

Bases: SSHEventData

SSH opened connection event data.

DATA_TYPE = 'syslog:ssh:opened_connection'

class plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin[source]

Bases: SyslogPlugin

A plugin for creating events from syslog message produced by SSH.

DATA_FORMAT = 'SSH syslog line'

MESSAGE_GRAMMARS = [('login', {{{{{{{{'Accepted' {'password' | 'publickey'}} 'for'} W:(0-9A-Za-z)} 'from'} {IPv4 address | IPv6 address} 'port'} W:(0-9){1,5} 'ssh2'} [':' Combine:({'RSA ' W:(0-:A-Fa-f)})]} StringEnd}), ('failed_connection', {{{{{{'Failed' {'password' | 'publickey'}} 'for'} W:(0-9A-Za-z)} 'from'} {IPv4 address | IPv6 address} 'port'} W:(0-9){1,5} StringEnd}), ('opened_connection', {{{'Connection from' {IPv4 address | IPv6 address}} 'port'} W:(0-9){1,5} LineEnd})]

NAME = 'ssh'

REPORTER = 'sshd'

Module contents

Imports for the syslog parser.