plaso.parsers.text_plugins package

Submodules

plaso.parsers.text_plugins.android_logcat module

Text parser plugin for Android logcat files.

Android logcat can have a number of output formats. This parser supports: * ‘threadtime’ format * ‘time’ format

The log file format is: date time PID-TID/package priority/tag: message

For example: 12-10 13:02:50.071 1901-4229/com.google.android.gms V/AuthZen: Handling delegate intent.

Where priority is: V: Verbose (lowest priority) D: Debug I: Info W: Warning E: Error A: Assert

In addition, support for the format modifiers: * date with a year * user identifier (uid) * microseconds fraction of second precision (usec) * time zone offset

Also see:

https://developer.android.com/studio/debug/logcat

class plaso.parsers.text_plugins.android_logcat.AndroidLogcatEventData(*args: Any, **kwargs: Any)

Bases: EventData

Android logcat event data.

component_tag

the tag that indicates the system component from which the logcat line originates.

Type

str

file_offset

the file offset of where the log message was parsed.

Type

int

message

the log message.

Type

str

pid

process identifier (PID) that created the logcat line.

Type

int

priority

a character in the set {V, D, I, W, E, F, S}, which is ordered from lowest to highest priority.

Type

str

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

thread_identifier

thread identifier (TID) that created the logcat line.

Type

int

user_identifier

the user identifier (UID) or Android ID of the logged process.

Type

int

DATA_TYPE = 'android:logcat'

class plaso.parsers.text_plugins.android_logcat.AndroidLogcatTextPlugin

Bases: TextPlugin, YearLessLogFormatHelper

Text parser plugin for Android logcat files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Android logcat file'

ENCODING = 'utf-8'

NAME = 'android_logcat'

VERIFICATION_GRAMMAR = {{{Suppress:('--------- beginning of ') events | kernel | main | radio | system} Suppress:(LineEnd)} ^ {{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} ^ {W:(0-9){2} Suppress:('-')} W:(0-9){2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} {W:(0-9){3} ^ W:(0-9){6} [(+-) W:(0-9){2}} W:(0-9){2]} {{{{{W:(0-9) {W:(0-9) W:(0-9)}} ^ {W:(0-9) W:(0-9)}} (D-FISVW)} [W:( -9;-~)]} ^ {{{(D-FISVW) Suppress:('/')} W:( -')-~)} Suppress:('(')} {W:(0-9) ^ {{W:(0-9) Suppress:(':')} W:(0-9)} Suppress:(')')} Suppress:(': ')} rest of line} Suppress:(LineEnd)}}

plaso.parsers.text_plugins.apache_access module

Text parser plugin for Apache access log (access.log) files.

Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/docs/2.4/logs.html

class plaso.parsers.text_plugins.apache_access.ApacheAccessLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Apache access log event data.

http_request_referer

http request referer header information.

Type

str

http_request

first line of http request.

Type

str

http_request_user_agent

http request user agent header information.

Type

str

http_response_bytes

http response bytes size without headers.

Type

int

http_response_code

http response code from server.

Type

int

ip_address

IPv4 or IPv6 addresses.

Type

str

port_number

canonical port of the server serving the request.

Type

int

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

remote_name

remote logname (from identd, if supplied).

Type

str

server_name

canonical hostname of the server serving the request.

Type

str

user_name

logged user name.

Type

str

DATA_TYPE = 'apache:access_log:entry'

class plaso.parsers.text_plugins.apache_access.ApacheAccessLogTextPlugin

Bases: TextPlugin

Text parser plugin for Apache access log (access.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Apache access log (access.log) file'

NAME = 'apache_access'

VERIFICATION_GRAMMAR = {{{{{{{IPv4 address | IPv6 address} {W:(0-9A-Za-z) | '-'} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')})} {{Suppress:('"') Group:({{CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE Re:('\S*')} Combine:({'HTTP/' W:(.0-9)})})} Suppress:('"')} W:(0-9)} {'-' | W:(0-9)} string enclosed in '"'} {{Suppress:('"') !W:(")} Suppress:('"')} Suppress:(LineEnd)} ^ {{{{IPv4 address | IPv6 address} {W:(0-9A-Za-z) | '-'} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')})} {{Suppress:('"') Group:({{CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE Re:('\S*')} Combine:({'HTTP/' W:(.0-9)})})} Suppress:('"')} W:(0-9)} {'-' | W:(0-9)} Suppress:(LineEnd)}} ^ {{{{{{W:(-.0-9A-Za-z) Suppress:(':')} W:(0-9)} {IPv4 address | IPv6 address} {W:(0-9A-Za-z) | '-'} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')})} {{Suppress:('"') Group:({{CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE Re:('\S*')} Combine:({'HTTP/' W:(.0-9)})})} Suppress:('"')} W:(0-9)} {'-' | W:(0-9)} string enclosed in '"'} {{Suppress:('"') !W:(")} Suppress:('"')} Suppress:(LineEnd)}}

VERIFICATION_LITERALS = ['"CONNECT ', '"DELETE ', '"GET ', '"HEAD ', ' HTTP/', '"OPTIONS ', '"PATCH ', '"POST ', '"PUT ', '"TRACE ']

plaso.parsers.text_plugins.apt_history module

Text parser plugin for Advanced Packaging Tool (APT) History log files.

class plaso.parsers.text_plugins.apt_history.APTHistoryLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

APT History log event data.

command

command.

Type

str

command_line

command line.

Type

str

end_time

date and time the end of the log entry was added.

Type

dfdatetime.DateTimeValues

error

reported error.

Type

str

packages

packages that were affected.

Type

str

requester

user requesting the activity.

Type

str

start_time

date and time the start of the log entry was added.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:apt_history_log:entry'

class plaso.parsers.text_plugins.apt_history.APTHistoryLogTextPlugin

Bases: TextPlugin

Text parser plugin for Advanced Packaging Tool (APT) History log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Advanced Packaging Tool (APT) History log file'

ENCODING = 'utf-8'

NAME = 'apt_history'

VERIFICATION_GRAMMAR = {[Suppress:(LineEnd)]... {{'Start-Date:' Group:({{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2})} Suppress:(LineEnd)}}

VERIFICATION_LITERALS = ['Commandline:', 'Downgrade:', 'Error:', 'Install:', 'Purge:', 'Remove:', 'Requested-By:', 'Start-Date:', 'Upgrade:']

plaso.parsers.text_plugins.aws_elb_access module

Text parser plugin for AWS ELB access logs.

The AWS documentation is not clear about the meaning of the “target_port_list” field. The assumption is that it refers to a list of possible backend instances’ IP addresses that could receive the client’s request. This parser stores the “target_port_list” data in the “destination_list” attribute of an EventData object.

Also see:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

class plaso.parsers.text_plugins.aws_elb_access.AWSELBEventData(*args: Any, **kwargs: Any)

Bases: EventData

AWS Elastic Load Balancer access log event data.

actions_executed

The actions taken when processing the request.

Type

str

alpn_back_end_protocol

The application protocol negotiated with the target, in string format. If no ALPN policy is configured in the TLS listener, no matching protocol is found, or no valid protocol list is sent, this value is set to -. (only for network load balancer logs)

Type

str

alpn_client_preference_list

The value of the application_layer_protocol_negotiation extension in the client hello message. This value is URL-encoded. Each protocol is enclosed in double quotes and protocols are separated by a comma. If no ALPN policy is configured in the TLS listener, no valid client hello message is sent, or the extension is not present, this value is set to -. The string is truncated if it is longer than 256 bytes. (only for network load balancer logs)

Type

str

alpn_front_end_protocol

The application protocol negotiated with the client, in string format. If no ALPN policy is configured in the TLS listener, no matching protocol is found, or no valid protocol list is sent, this value is set to -. (only for network load balancer logs)

Type

str

chosen_cert_arn

The ARN of the certificate presented to the source.

Type

str

chosen_cert_serial

Reserved for future use. This value is always set to -. (only for network load balancer logs)

Type

str

classification

The classification for desync mitigation.

Type

str

classification_reason

The classification reason code.

Type

str

connection_duration

duration of the connection to complete, from start to closure, in milliseconds. (only for network load balancer logs)

Type

str

destination_group_arn

The Amazon Resource Name (ARN) of the destination group.

Type

str

destination_ip_address

The IP address of the destination that processed this request.

Type

str

destination_list

A space-delimited list of IP addresses and ports for the destinations that processed this request.

Type

str

destination_port

The port of the destination that processed this request.

Type

int

destination_processing_duration

duration from the time the load balancer sent the request to a destination until the destination started to send the response headers.

Type

str

destination_status_code

The status code of the response from the destination.

Type

int

destination_status_code_list

A space-delimited list of status codes.

Type

str

domain_name

The SNI domain provided by the source during the TLS handshake.

Type

str

error_reason

The error reason code, enclosed in double quotes.

Type

str

handshake_duration

duration of the handshake to complete after the TCP connection is established, including client-side delays, in milliseconds. This time is included in the connection_duration field. (only for network load balancer logs)

Type

str

incoming_tls_alert

The integer value of TLS alerts received by the load balancer from the client, if present. (only for network load balancer logs)

Type

str

listener

The resource ID of the TLS listener for the connection. (only for network load balancer logs)

Type

str

matched_rule_priority

The priority value of the rule that matched the request.

Type

int

received_bytes

The size of the request, in bytes, received from the source.

Type

int

redirect_url

The URL of the redirect destination.

Type

str

request_processing_duration

total duration from the time the load balancer received the request until the time it sent the request to a destination.

Type

str

request_time

date and time a request was sent.

Type

dfdatetime.DateTimeValues

request_type

The type of request or connection.

Type

str

resource_identifier

The resource ID of the load balancer.

Type

str

response_processing_duration

duration of processing a response.

Type

str

response_time

date and time a response was sent.

Type

dfdatetime.DateTimeValues

sent_bytes

The size of the response, in bytes, sent to the source.

Type

int

ssl_cipher

The SSL cipher of the HTTPS listener.

Type

str

ssl_protocol

The SSL protocol of the HTTPS listener.

Type

str

source_ip_address

The IP address of the requesting source.

Type

str

source_port

The port of the requesting source.

Type

int

tls_cipher

The cipher suite negotiated with the client, in OpenSSL format. If TLS negotiation does not complete, this value is set to -. (only for network load balancer logs)

Type

str

tls_named_group

Reserved for future use. This value is always set to -. (only for network load balancer logs)

Type

str

tls_protocol_version

The TLS protocol negotiated with the client, in string format. If TLS negotiation does not complete, this value is set to -. (only for network load balancer logs)

Type

str

trace_identifier

The contents of the X-Amzn-Trace-Id header.

Type

str

user_agent

A User-Agent string.

Type

str

version

The version of the log entry. (only for network load balancer logs)

Type

str

DATA_TYPE = 'aws:elb:access'

class plaso.parsers.text_plugins.aws_elb_access.AWSELBTextPlugin

Bases: TextPlugin

Text parser plugin for AWS ELB access log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'AWS ELB Access log file'

ENCODING = 'utf-8'

NAME = 'aws_elb_access'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{W:(!-~) | {'"-"' | '-'}} {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} Suppress:('Z')} {W:(!-~) | {'"-"' | '-'}} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'}} {W:(0-9) | {'"-"' | '-'}} quoted string using single or double quotes} quoted string using single or double quotes} {W:(!-~) | {'"-"' | '-'} {W:(!-~) | {'"-"' | '-'} {W:(!-~) | {'"-"' | '-'}} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} {W:(-, 0-9) | {W:(0-9) | {'"-"' | '-'} {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} Suppress:('Z')} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} Suppress:(LineEnd)} ^ {{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} Suppress:('Z')} {W:(!-~) | {'"-"' | '-'} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'} {W:(-, 0-9) | {W:(0-9) | {'"-"' | '-'} {W:(-, 0-9) | {W:(0-9) | {'"-"' | '-'} quoted string using single or double quotes} quoted string using single or double quotes} {W:(!-~) | {'"-"' | '-'} {W:(!-~) | {'"-"' | '-'} Suppress:(LineEnd)}} ^ {{W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'}} {W:(0-9) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {quoted string using single or double quotes | '-'} Suppress:(LineEnd)}}

plaso.parsers.text_plugins.bash_history module

Text parser plugin for bash history files.

class plaso.parsers.text_plugins.bash_history.BashHistoryEventData(*args: Any, **kwargs: Any)

Bases: EventData

Bash history log event data.

command

command that was executed.

Type

str

written_time

date and time the entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'bash:history:entry'

class plaso.parsers.text_plugins.bash_history.BashHistoryTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for bash history files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Bash history file'

ENCODING = 'utf-8'

NAME = 'bash_history'

VERIFICATION_GRAMMAR = {{Re:('#(?P<timestamp>[1-9][0-9]{8,9})\n') {rest of line Suppress:(LineEnd)}} ^ {{rest of line Suppress:(LineEnd)} Re:('#(?P<timestamp>[1-9][0-9]{8,9})\n')} {rest of line Suppress:(LineEnd)}}

plaso.parsers.text_plugins.confluence_access module

Text plugin for Confluence access log (conf_access_log[DATE].log) files.

Also see:

https://confluence.atlassian.com/doc/configure-access-logs-1044780567.html https://confluence.atlassian.com/confkb/audit-confluence-using-the-tomcat-valve-component-223216846.html

class plaso.parsers.text_plugins.confluence_access.ConfluenceAccessEventData(*args: Any, **kwargs: Any)

Bases: EventData

Confluence access event data.

forwarded_for

request X-FORWARDED-FOR header value.

Type

str

http_request_method

HTTP request method.

Type

str

http_request_referer

HTTP request referer header information.

Type

str

http_request_uri

HTTP request URI.

Type

str

http_request_user_agent

HTTP request user agent header information.

Type

str

http_response_bytes

HTTP response bytes size without headers.

Type

int

http_response_code

HTTP response code from server.

Type

int

http_version

HTTP request version.

Type

str

process_duration

time taken to process the request in milliseconds.

Type

int

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

remote_name

remote hostname or IP address

Type

str

thread_name

name of the thread that handled the request.

Type

str

user_name

response X-AUSERNAME header value.

Type

str

DATA_TYPE = 'confluence:access'

class plaso.parsers.text_plugins.confluence_access.ConfluenceAccessTextPlugin

Bases: TextPlugin

Text plugin for Confluence access log (conf_access_log[DATE].log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Confluence access log (access.log) file'

NAME = 'confluence_access'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')}) {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'}} W:(-0-9A-Za-z)} {{IPv4 address | IPv6 address} | W:(-.0-9A-Za-z)} CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE} W:(#%&+--:<-?A-[...)} W:(.-9A-Za-z)} W:(0-9)} W:(0-9)} 'ms'} {'-' | W:(0-9)} W:(#%&+--:<-?A-[...)} rest of line} Suppress:(LineEnd)} ^ {{{{{{{{{{{Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')}) {IPv4 address | IPv6 address}} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} W:(-0-9A-Za-z)} {{IPv4 address | IPv6 address} | W:(-.0-9A-Za-z)} CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE} W:(#%&+--:<-?A-[...)} W:(.-9A-Za-z)} W:(0-9)} W:(0-9)} 'ms'} {'-' | W:(0-9)} W:(#%&+--:<-?A-[...)} rest of line} Suppress:(LineEnd)}}

VERIFICATION_LITERALS = [' CONNECT ', ' DELETE ', ' GET ', ' HEAD ', ' HTTP/', ' OPTIONS ', ' PATCH ', ' POST ', ' PUT ', ' TRACE ']

plaso.parsers.text_plugins.dpkg module

Text parser plugin for Debian package manager log (dpkg.log) files.

An example:

2016-08-03 15:25:53 install base-passwd:amd64 <none> 3.5.33

Log messages are of the form:

YYYY-MM-DD HH:MM:SS startup type command Where type is:

archives (with a command of unpack or install) packages (with a command of configure, triggers-only, remove or purge)

YYYY-MM-DD HH:MM:SS status state pkg installed-version

YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is:

install, upgrade, configure, trigproc, disappear, remove or purge.

YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install or keep.

class plaso.parsers.text_plugins.dpkg.DpkgEventData(*args: Any, **kwargs: Any)

Bases: EventData

Dpkg event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

body

body of the log line.

Type

str

DATA_TYPE = 'linux:dpkg_log:entry'

class plaso.parsers.text_plugins.dpkg.DpkgTextPlugin

Bases: TextPlugin

Text parser plugin for Debian package manager log (dpkg.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Debian package manager log (dpkg.log) file'

ENCODING = 'utf-8'

NAME = 'dpkg'

VERIFICATION_GRAMMAR = {{Group:({{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2}) {Combine:({{'startup' archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{'status' W:(!-~)} W:(!-~)} W:(!-~)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(!-~)} W:(!-~)} W:(!-~)}) | Combine:({{'conffile' W:(!-~)} install | keep})}} Suppress:(LineEnd)}

VERIFICATION_LITERALS = [' conffile ', ' configure ', ' disappear ', ' install ', ' purge ', ' remove ', ' startup ', ' status ', ' trigproc ', ' upgrade ']

plaso.parsers.text_plugins.gdrive_synclog module

Text parser plugin for Google Drive Sync log files.

class plaso.parsers.text_plugins.gdrive_synclog.GoogleDriveSyncLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Google Drive Sync log event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

level

logging level of event such as “DEBUG”, “WARN”, “INFO” and “ERROR”.

Type

str

message

log message.

Type

str

process_identifier

process identifier of process which logged event.

Type

int

source_code

filename:line_number of source file which logged event.

Type

str

thread

colon-separated thread identifier in the form “ID:name” which logged event.

Type

str

DATA_TYPE = 'google_drive_sync_log:entry'

class plaso.parsers.text_plugins.gdrive_synclog.GoogleDriveSyncLogTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for Google Drive Sync log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Google Drive Sync log file'

ENCODING = 'utf-8'

NAME = 'gdrive_synclog'

VERIFICATION_GRAMMAR = Re:('(?P<date_time>[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}[,.][0-9]{3} [+-][0-9]{4}) [A-Z]+ pid=[0-9]+ [0-9]+:\S+[ ]+\S+:[0-9]+ .*\n')

VERIFICATION_LITERALS = [' ERROR ', ' FATAL ', ' INFO ', ' pid=', ' WARNING ']

plaso.parsers.text_plugins.google_logging module

Text parser plugin for Google-formatted log files.

Note that this format is also used by Kubernetes.

Also see:

https://github.com/google/glog https://github.com/kubernetes/klog

class plaso.parsers.text_plugins.google_logging.GoogleLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Google-formatted log file event data.

file_name

the name of the source file that logged the message.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

line_number

the line number in the source file where the logging statement is.

Type

int

message

the log message.

Type

str

priority

the priority of the message - I, W, E or F. These values represent messages logged at INFO, WARNING, ERROR or FATAL severities, respectively.

Type

str

thread_identifier

the identifier of the thread that recorded the message.

Type

int

DATA_TYPE = 'googlelog:log'

class plaso.parsers.text_plugins.google_logging.GoogleLogTextPlugin

Bases: TextPlugin, YearLessLogFormatHelper

Text parser plugin for Google-formatted log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Google-formatted log file'

NAME = 'googlelog'

VERIFICATION_GRAMMAR = {Re:('Log file created at: (?P<date_time>[0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2})\n') Re:('Running on machine: .*\n')}

VERIFICATION_LITERALS = ['Log file created at: ', 'Running on machine: ']

plaso.parsers.text_plugins.iis module

Text parser plugin for Microsoft IIS log files.

class plaso.parsers.text_plugins.iis.IISEventData(*args: Any, **kwargs: Any)

Bases: EventData

IIS log event data.

cs_cookie

Content of a sent or received cookie.

Type

str

cs_host

HTTP host header name.

Type

str

cs_referrer

Site that referred to the requested site.

Type

str

cs_uri_query

URI query that was requested.

Type

str

cs_username

Username of the authenticated user that accessed the server, where anonymous users are indicated by a hyphen.

Type

str

dest_ip

IP address of the server that generated the logged activity.

Type

str

dest_port

Server port number.

Type

str

http_method

HTTP request method, such as GET or POST.

Type

str

http_status

HTTP status code that was returned by the server.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

protocol_version

HTTP protocol version that was used.

Type

str

received_bytes

Number of bytes received and processed by the server.

Type

str

requested_uri_stem

File requested, such as index.php or Default.htm

Type

str

s_computername

Name of the server that generated the logged activity.

Type

str

sc_substatus

HTTP substatus error code that was returned by the server.

Type

str

sc_win32_status

Windows status code of the server.

Type

str

sent_bytes

Number of bytes sent by the server.

Type

str

source_ip

IP address of the client that made the request.

Type

str

s_sitename

Service name and instance number that was running on the client.

Type

str

time_taken

Time taken, in milliseconds, to process the request.

Type

str

user_agent

User agent that was used.

Type

str

DATA_TYPE = 'iis:log:line'

class plaso.parsers.text_plugins.iis.WinIISTextPlugin

Bases: TextPlugin

Text parser plugin for Microsoft IIS log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Microsoft IIS log file'

ENCODING = 'utf-8'

NAME = 'winiis'

PORT = {W:(0-9){1,6} | '-'}

VERIFICATION_GRAMMAR = {[{Re:('#(Date|Fields|Version): .*') Suppress:(LineEnd)}]... {Re:('#Software: Microsoft Internet Information Services [0-9]+.[0-9]+') Suppress:(LineEnd)}}

VERIFICATION_LITERALS = ['#Software: Microsoft Internet Information Services ']

plaso.parsers.text_plugins.interface module

This file contains the interface for text plugins.

class plaso.parsers.text_plugins.interface.TextPlugin

Bases: BasePlugin

The interface for text plugins.

abstract CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Text file'

ENCODING = None

NAME = 'text_plugin'

Process(parser_mediator, file_object=None, **kwargs)

Extracts events from a text log file.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• file_object (Optional[dfvfs.FileIO]) – a file-like object.

VERIFICATION_GRAMMAR = None

VERIFICATION_LITERALS = None

class plaso.parsers.text_plugins.interface.TextPluginWithLineContinuation

Bases: TextPlugin

The interface for text plugins with line continuation.

plaso.parsers.text_plugins.ios_lockdownd module

Text parser plugin for iOS lockdown daemon log files (ios_lockdownd.log).

class plaso.parsers.text_plugins.ios_lockdownd.IOSLockdowndLogData(*args: Any, **kwargs: Any)

Bases: EventData

iOS lockdown daemon (lockdownd) log event data.

body

body of the log entry.

Type

str

process_identifier

identifier of the process making the request to lockdownd.

Type

int

written_time

date and time the log entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:lockdownd_log:entry'

class plaso.parsers.text_plugins.ios_lockdownd.IOSLockdowndLogTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for iOS lockdown daemon log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'iOS lockdown daemon log'

NAME = 'ios_lockdownd'

VERIFICATION_GRAMMAR = {{{{{{{{{W:(0-9){2} Suppress:('/')} W:(0-9){2} Suppress:('/')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:((,.))} W:(0-9){6} Suppress:('pid=')} W:(0-9)} rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.ios_logd module

Text parser plugin for iOS sysdiagnose logd files (logd.0.log).

class plaso.parsers.text_plugins.ios_logd.IOSSysdiagnoseLogdData(*args: Any, **kwargs: Any)

Bases: EventData

iOS sysdiagnose logd event data.

body

body of the event line.

Type

str

logger

name of the process that generated the event.

Type

str

written_time

date and time the log entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:sysdiagnose:logd:line'

class plaso.parsers.text_plugins.ios_logd.IOSSysdiagnoseLogdTextPlugin

Bases: TextPlugin

Text parser plugin for iOS sysdiagnose logd files (logd.0.log).

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'iOS sysdiagnose logd file'

NAME = 'ios_logd'

VERIFICATION_GRAMMAR = {{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Combine:({{{W:(A-Z_a-z) '['} W:(0-9)} ']'})} Suppress:(': ')} rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.ios_sysdiag_log module

Text parser plugin for iOS sysdiag log files.

class plaso.parsers.text_plugins.ios_sysdiag_log.IOSSysdiagLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

iOS sysdiagnose log event data.

body

body of the event line.

Type

str

originating_call

call that created the entry.

Type

str

process_identifier

process_identifier.

Type

str

severity

severity of the message.

Type

str

written_time

date and time the log entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:sysdiag_log:entry'

class plaso.parsers.text_plugins.ios_sysdiag_log.IOSSysdiagLogTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for iOS mobile installation log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'iOS sysdiag log'

NAME = 'ios_sysdiag_log'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{{{{{Suppress:(W:(A-Za-z){3}) W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(0-9){4} Suppress:('[')} W:(0-9)} Suppress:(']')} Suppress:('<')} W:(0-9A-Za-z)} Suppress:('>')} Suppress:('(')} W:(0-9A-Za-z)} Suppress:(')')} Combine:({[{{(+-) '['} !W:(])} ']'] [!W:(:)]})} Suppress:(': ')} rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.macos_appfirewall module

Text plugin for MacOS Application firewall log (appfirewall.log) files.

class plaso.parsers.text_plugins.macos_appfirewall.MacOSAppFirewallLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

MacOS Application firewall log (appfirewall.log) file event data.

action

action.

Type

str

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

agent

agent that save the log.

Type

str

computer_name

name of the computer.

Type

str

process_name

name of the entity that tried to do the action.

Type

str

status

saved status action.

Type

str

DATA_TYPE = 'macos:appfirewall_log:entry'

class plaso.parsers.text_plugins.macos_appfirewall.MacOSAppFirewallTextPlugin

Bases: TextPlugin, YearLessLogFormatHelper

Text plugin for MacOS Application firewall log (appfirewall.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'MacOS Application firewall log (appfirewall.log) file'

ENCODING = 'utf-8'

NAME = 'mac_appfirewall_log'

VERIFICATION_GRAMMAR = {{{{{{{W:(A-Za-z){3} W:(0-9){1,2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(!-~)} Combine:({{W:(!-9;=-Z\-~) '['} W:(0-9){1,5} ']'})} '<Error>: Logging: creating /var/log/appfirewall.log'} Suppress:(LineEnd)}

plaso.parsers.text_plugins.macos_securityd module

Text parser plugin for MacOS security daemon (securityd) log files.

Also see:

https://opensource.apple.com/source/Security/Security-55471/sec/securityd

class plaso.parsers.text_plugins.macos_securityd.MacOSSecuritydLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

MacOS securityd log event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

caller

caller, consists of two hex numbers.

Type

str

facility

facility.

Type

str

level

priority level.

Type

str

message

message.

Type

str

security_api

name of securityd function.

Type

str

sender

name of the sender.

Type

str

sender_pid

process identifier of the sender.

Type

int

DATA_TYPE = 'macos:securityd_log:entry'

class plaso.parsers.text_plugins.macos_securityd.MacOSSecuritydLogTextPlugin

Bases: TextPlugin, YearLessLogFormatHelper

Text parser plugin for MacOS security daemon (securityd) log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'MacOS security daemon (securityd) log file'

ENCODING = 'utf-8'

NAME = 'mac_securityd'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{{{{Group:({{{W:(A-Za-z){3} W:(0-9){1,2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2}) !W:([)} Suppress:('[')} W:(0-9){1,5} Suppress:(']')} Suppress:('<')} !W:(>)} Suppress:('>')} Suppress:('[')} !W:({)} Suppress:('{')} [!W:(})]} Suppress:('}')} [!W:(]:)]} Suppress:(']:')} rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.macos_wifi module

Text parser plugin for MacOS Wi-Fi log (wifi.log) files.

class plaso.parsers.text_plugins.macos_wifi.MacOSWiFiLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

MacOS Wi-Fi log event data.

action

known Wi-Fi action, for example connected to an access point, configured, etc. If the action is not known, the value is the message of the log (text variable).

Type

str

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

agent

name and identifier of process that generated the log message.

Type

str

function

name of function that generated the log message.

Type

str

text

log message.

Type

str

DATA_TYPE = 'macos:wifi_log:entry'

class plaso.parsers.text_plugins.macos_wifi.MacOSWiFiLogTextPlugin

Bases: TextPlugin, YearLessLogFormatHelper

Text parser plugin MacOS Wi-Fi log (wifi.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'MacOS Wi-Fi log (wifi.log) file'

ENCODING = 'utf-8'

NAME = 'mac_wifi'

VERIFICATION_GRAMMAR = {{{{{Group:({{{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3}) '***Starting Up***'} Suppress:(LineEnd)} ^ {{{{{Group:({{{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3}) {{'<' Combine:({'airportd' !W:(>)})} '>'}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ':'} rest of line} Suppress:(LineEnd)}} ^ {{{Group:({{{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3}) ~{{{{{'<' Combine:({'airportd' !W:(>)})} '>'} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ':'}}} rest of line} Suppress:(LineEnd)}} ^ {{Group:({{{W:(A-Za-z){3} W:(0-9){1,2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2}) Combine:({{W:(!-~) W:(!-~)} 'logfile turned over'})} Suppress:(LineEnd)}}

plaso.parsers.text_plugins.popcontest module

Text parser plugin for popularity contest log files.

Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun <apenwarr@debian.org>

From ‘https://www.unix.com/man-page/Linux/8/popularity-contest’:

The popularity-contest command gathers information about Debian pack- ages installed on the system, and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout.

When aggregated with the output of popularity-contest from many other systems, this information is valuable because it can be used to deter- mine which Debian packages are commonly installed, used, or installed and never used. This helps Debian maintainers make decisions such as which packages should be installed by default on new systems.

The resulting statistic is available from the project home page https://popcon.debian.org

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automatically submits the results to Debian package maintainers (only once a week) according to the settings in /etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf.

From ‘https://popcon.ubuntu.com/README’:

The popularity-contest output looks like this:

POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445 914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find 914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk /usr/bin/gawk […more lines…] END-POPULARITY-CONTEST-0 TIME:914183335

The first and last lines allow you to put more than one set of popularity-contest results into a single file and then split them up easily later.

The rest of the lines are package entries, one line for each package installed on your system. They have the format:

<atime> <ctime> <package-name> <mru-program> <tag>

<package-name> is the name of the Debian package that contains <mru-program>. <mru-program> is the most recently used program, static library, or header (.h) file in the package.

<atime> and <ctime> are the access time and creation time of the <mru-program> on your disk, respectively, represented as the number of seconds since midnight GMT on January 1, 1970 (i.e. in Unix time_t format). Linux updates <atime> whenever you open the file; <ctime> was set when you first installed the package.

<tag> is determined by popularity-contest depending on <atime>, <ctime>, and the current date. <tag> can be RECENT-CTIME, OLD, or NOFILES.

RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether the package was used recently or not, since <atime> is also updated when <ctime> is set. Normally, this happens because you have recently upgraded the package to a new version, resetting the <ctime>.

OLD means that the <atime> is more than a month ago; you haven’t used the package for more than a month.

NOFILES means that no files in the package seemed to be programs, so <atime>, <ctime>, and <mru-program> are invalid.’

REMARKS. The parser will generate events solely based on the <atime> field and not using <ctime>, to reduce the generation of (possibly many) useless events all with the same <ctime>. Indeed, that <ctime> will be probably get from file system and/or package management logs. The <ctime> will be reported in the log line.

class plaso.parsers.text_plugins.popcontest.PopularityContestEventData(*args: Any, **kwargs: Any)

Bases: EventData

Popularity Contest event data.

access_time

file entry last access date and time.

Type

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type

dfdatetime.DateTimeValues

mru

recently used app/library from package.

Type

str

package

installed packaged name, which the mru belongs to.

Type

str

record_tag

popularity context tag.

Type

str

DATA_TYPE = 'linux:popularity_contest_log:entry'

class plaso.parsers.text_plugins.popcontest.PopularityContestSessionEventData(*args: Any, **kwargs: Any)

Bases: EventData

Popularity Contest session event data.

details

version and host architecture.

Type

str

end_time

date and time the end of the session log entry was added.

Type

dfdatetime.DateTimeValues

host_identifier

host identifier (UUID).

Type

str

session

session number.

Type

int

start_time

date and time the start of the session log entry was added.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:popularity_contest_log:session'

class plaso.parsers.text_plugins.popcontest.PopularityContestTextPlugin

Bases: TextPlugin

Text parser plugin for popularity contest log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Popularity Contest log file'

ENCODING = 'utf-8'

NAME = 'popularity_contest'

VERIFICATION_GRAMMAR = {{{{{{Suppress:('POPULARITY-CONTEST-') W:(0-9)} Suppress:('TIME:')} W:(0-9)} Suppress:('ID:')} W:(0-9A-Za-z){32} rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.postgresql module

Text parser plugin for PostgreSQL application log files.

This is a multi-line log format that records internal database application logs as well as authentication attempts.

Also see:

https://www.postgresql.org/docs/current/runtime-config-logging.html

class plaso.parsers.text_plugins.postgresql.PostgreSQLEventData(*args: Any, **kwargs: Any)

Bases: EventData

PostgreSQL application log data.

log_line

log message.

Type

str

pid

process identifier (PID).

Type

int

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

severity

severity.

Type

str

user

“user@database” string if present. Records the user account and database name that was authenticated or attempting to authenticate.

Type

str

DATA_TYPE = 'postgresql:application_log:entry'

class plaso.parsers.text_plugins.postgresql.PostgreSQLTextPlugin

Bases: TextPlugin

Text parser plugin for PostgreSQL application log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'PostgreSQL application log file'

ENCODING = 'utf-8'

NAME = 'postgresql'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{LineStart W:(0-9){4}} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} [Suppress:('.') W:(0-9){3}]} W:(!-~)} {{{{Suppress:('[') {W:(0-9)}...} ['-']} [W:(0-9)]...} Suppress:(']')} [{W:(0-9A-Za-z) '@'} W:(0-9A-Za-z)]} W:(A-Z)} Suppress:(':')} SkipTo:({StringEnd | {{{{{{{LineStart W:(0-9){4}} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} [Suppress:('.') W:(0-9){3}]} W:(!-~)}})} [Suppress:(LineEnd)]...}

plaso.parsers.text_plugins.powershell_transcript module

Text parser plugin for PowerShell transcript log files.

class plaso.parsers.text_plugins.powershell_transcript.PowerShellTranscriptLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

PowerShell transcript log event data.

build_version

Build number of current version.

Type

str

clr_version

Common Language Runtime version.

Type

str

commands

Commands that were executed.

Type

str

compatible_versions

Compatible PowerShell versions.

Type

str

configuration_name

Configuration name.

Type

str

edition

PowerShell edition

Type

str

host_application

Application that executed the commands.

Type

str

machine

Hostname of machine.

Type

str

process_identifier

Process identifier.

Type

str

remoting_protocol_version

PowerShell remote management protocol version.

Type

str

runas_user

User context of execution.

Type

str

serialization_version

Serialization method version.

Type

str

start_time

date and time the start of the PowerShell transcript.

Type

dfdatetime.DateTimeValues

username

User that executed the commands.

Type

str

version

PowerShell version.

Type

str

ws_man_stack_version

WS-Management stack version

Type

str

DATA_TYPE = 'powershell:transcript_log:entry'

class plaso.parsers.text_plugins.powershell_transcript.PowerShellTranscriptLogTextPlugin

Bases: TextPlugin

Text parser plugin for PowerShell transcript log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'PowerShell transcript event'

ENCODING = 'utf-8'

NAME = 'powershell_transcript'

VERIFICATION_GRAMMAR = {{'**********************' Suppress:(LineEnd)} Re:('.*Windows PowerShell.*\n')}

VERIFICATION_LITERALS = ['Windows PowerShell']

plaso.parsers.text_plugins.santa module

Text file parser plugin for Santa log files.

class plaso.parsers.text_plugins.santa.SantaExecutionEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa execution event data.

action

action recorded by Santa.

Type

str

certificate_common_name

certificate common name.

Type

str

certificate_hash

SHA256 hash for the certificate associated with the executed process.

Type

str

decision

if the process was allowed or blocked.

Type

str

gid

group identifier associated with the executed process.

Type

str

group

group name associated with the executed process.

Type

str

last_run_time

executable (binary) last run date and time.

Type

dfdatetime.DateTimeValues

long_reason

further explanation behind Santa decision to execute or block a process.

Type

str

mode

Santa execution mode, for example Monitor or Lockdown.

Type

str

pid

process identifier for the process.

Type

str

pid_version

the process identifier version extracted from the Mach audit token. The version can sed to identify process identifier rollovers.

Type

str

ppid

parent process identifier for the executed process.

Type

str

process_arguments

executed process with its arguments.

Type

str

process_hash

SHA256 hash for the executed process.

Type

str

process_path

process file path.

Type

str

reason

reason behind Santa decision to execute or block a process.

Type

str

uid

user identifier associated with the executed process.

Type

str

user

user name associated with the executed process.

Type

str

DATA_TYPE = 'santa:execution'

class plaso.parsers.text_plugins.santa.SantaFileSystemEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa file system event data.

action

event type recorded by Santa.

Type

str

file_new_path

new file path and name for RENAME events.

Type

str

file_path

file path and name for WRITE/DELETE events.

Type

str

gid

group identifier associated with the executed process.

Type

str

group

group name associated with the executed process.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

pid

process identifier for the process.

Type

str

pid_version

the process identifier version extracted from the Mach audit token. The version can be used to identify process identifier rollovers.

Type

str

ppid

parent process identifier for the executed process.

Type

str

process_path

process file path.

Type

str

process

process name.

Type

str

uid

user identifier associated with the executed process.

Type

str

user

user name associated with the executed process.

Type

str

DATA_TYPE = 'santa:file_system_event'

class plaso.parsers.text_plugins.santa.SantaMountEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa mount event data.

action

event type recorded by Santa.

Type

str

appearance_time

date and time the disk appeared.

Type

dfdatetime.DateTimeValues

bsd_name

disk BSD name.

Type

str

bus

device protocol.

Type

str

dmg_path

DMG file path.

Type

str

fs

disk volume kind.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

model

disk model.

Type

str

mount

disk mount point.

Type

str

serial

disk serial.

Type

str

volume

disk volume name.

Type

str

DATA_TYPE = 'santa:diskmount'

class plaso.parsers.text_plugins.santa.SantaProcessExitEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa process exit event data.

action

action recorded by Santa.

Type

str

exit_time

process exit date and time.

Type

dfdatetime.DateTimeValues

gid

group identifier associated with the executed process.

Type

str

pid

process identifier for the process.

Type

str

pid_version

the process identifier version extracted from the Mach audit token. The version can be used to identify process identifier rollovers.

Type

str

ppid

parent process identifier for the executed process.

Type

str

uid

user identifier associated with the executed process.

Type

str

DATA_TYPE = 'santa:process_exit'

class plaso.parsers.text_plugins.santa.SantaTextPlugin

Bases: TextPlugin

Text file parser plugin for Santa log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Santa log (santa.log) file'

ENCODING = 'utf-8'

NAME = 'santa'

VERIFICATION_GRAMMAR = {{{{{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'DISKAPPEAR'} {Suppress:('|mount=') [!W:(| )]} {Suppress:('|volume=') [!W:(| )]} {Suppress:('|bsdname=') [!W:(| )]} {Suppress:('|fs=') [!W:(| )]} {Suppress:('|model=') [!W:(| )]} {Suppress:('|serial=') [!W:(| )]} {Suppress:('|bus=') [!W:(| )]} {Suppress:('|dmgpath=') [!W:(| )]} {Suppress:('|appearance=') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')} Suppress:(LineEnd)} ^ {{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'DISKDISAPPEAR'} {Suppress:('|mount=') [!W:(| )]} {Suppress:('|volume=') [!W:(| )]} {Suppress:('|bsdname=') [!W:(| )]} Suppress:(LineEnd)}} ^ {{{{{{{{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'EXEC'} {Suppress:('|decision=') [!W:(| )]} {Suppress:('|reason=') [!W:(| )]} [Suppress:('|explain=') [!W:(| )]]} {Suppress:('|sha256=') [!W:(| )]} [Suppress:('|cert_sha256=') [!W:(| )]]} [Suppress:('|cert_cn=') [!W:(| )]]} [Suppress:('|quarantine_url=') [!W:(| )]]} {Suppress:('|pid=') [!W:(| )]} [Suppress:('|pidversion=') [!W:(| )]]} {Suppress:('|ppid=') [!W:(| )]} {Suppress:('|uid=') [!W:(| )]} {Suppress:('|user=') [!W:(| )]} {Suppress:('|gid=') [!W:(| )]} {Suppress:('|group=') [!W:(| )]} {Suppress:('|mode=') [!W:(| )]} {Suppress:('|path=') [!W:(| )]} [Suppress:('|args=') [!W:(| )]]} Suppress:(LineEnd)}} ^ {{{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} {{{'DELETE' ^ 'LINK'} ^ 'RENAME'} ^ 'WRITE'} {Suppress:('|path=') [!W:(| )]} [Suppress:('|newpath=') [!W:(| )]]} {Suppress:('|pid=') [!W:(| )]} [Suppress:('|pidversion=') [!W:(| )]]} {Suppress:('|ppid=') [!W:(| )]} {Suppress:('|process=') [!W:(| )]} {Suppress:('|processpath=') [!W:(| )]} {Suppress:('|uid=') [!W:(| )]} {Suppress:('|user=') [!W:(| )]} {Suppress:('|gid=') [!W:(| )]} {Suppress:('|group=') [!W:(| )]} Suppress:(LineEnd)}} ^ {{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'EXIT'} {Suppress:('|pid=') [!W:(| )]} {Suppress:('|pidversion=') [!W:(| )]} {Suppress:('|ppid=') [!W:(| )]} {Suppress:('|uid=') [!W:(| )]} {Suppress:('|gid=') [!W:(| )]} Suppress:(LineEnd)}}

plaso.parsers.text_plugins.sccm module

Text parser plugin for System Center Configuration Manager (SCCM) logs.

class plaso.parsers.text_plugins.sccm.SCCMLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SCCM log event data.

component

component.

Type

str

text

text.

Type

str

written_time

date and time the entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'sccm_log:entry'

class plaso.parsers.text_plugins.sccm.SCCMTextPlugin

Bases: TextPlugin

Text parser plugin for System Center Configuration Manager (SCCM) logs.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'System Center Configuration Manager (SCCM) client log file'

ENCODING = 'utf-8'

NAME = 'sccm'

VERIFICATION_GRAMMAR = {Re:('.*<!\[LOG\[.*]LOG]!><') {{{{{{Suppress:('time="') W:(0-9){1,2}} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} Re:('\d{3,7}')} [Group:({(+-) W:(0-9){2,3}})]} {{{Suppress:('" date="') W:(0-9){1,2}} Suppress:('-')} W:(0-9){1,2} Suppress:('-')} W:(0-9){4}} {Suppress:('" component="') W:(0-9A-Za-z)}

VERIFICATION_LITERALS = ['<![LOG[', ']LOG]!><time="']

plaso.parsers.text_plugins.selinux module

Text parser plugin for SELinux audit log (audit.log) files.

audit.log log line example:

type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd” path=”/home/auser/public_html” dev=sdb2 ino=921135

Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and the number of milliseconds after the dot for example: “seconds: 1105758604, milliseconds: 519”.

The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logs generated from the same event.

class plaso.parsers.text_plugins.selinux.SELinuxLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SELinux log event data.

audit_type

audit type.

Type

str

body

body of the log line.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

pid

process identifier (PID) that created the SELinux log line.

Type

int

DATA_TYPE = 'selinux:line'

class plaso.parsers.text_plugins.selinux.SELinuxTextPlugin

Bases: TextPlugin

Text parser plugin for SELinux audit log (audit.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'SELinux audit log (audit.log) file'

NAME = 'selinux'

VERIFICATION_GRAMMAR = {{{{{{{{Suppress:('type=') {W:(A-Z_) ^ Re:('UNKNOWN\[[0-9]+\]')}} Suppress:('msg=audit(')} Group:({{W:(0-9) Suppress:('.')} W:(0-9)})} Suppress:(':')} W:(0-9)} Suppress:('):')} rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.setupapi module

Text parser plugin for Windows SetupAPI log files.

Also see:

https://learn.microsoft.com/en-us/windows-hardware/drivers/install/setupapi-text-logs

class plaso.parsers.text_plugins.setupapi.SetupAPILogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SetupAPI log event data.

end_time

date and time the end of the log entry was added.

Type

dfdatetime.DateTimeValues

entry_type

log entry type, for examaple “Device Install - PCIVEN_104C&DEV_8019&SUBSYS_8010104C&REV_003&61aaa01&0&38” or “Sysprep Respecialize - {804b345a-ffd7-854c-a1b5-ca9598907846}”.

Type

str

exit_status

the exit status of the logged operation.

Type

str

start_time

date and time the start of the log entry was added.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'setupapi:log:line'

class plaso.parsers.text_plugins.setupapi.SetupAPILogTextPlugin

Bases: TextPlugin

Text parser plugin for Windows SetupAPI log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Windows SetupAPI log file'

NAME = 'setupapi'

VERIFICATION_GRAMMAR = {'[Device Install Log]' Suppress:(LineEnd)}

plaso.parsers.text_plugins.skydrivelog module

Text parser plugins for SkyDrive version 1 and 2 log files.

class plaso.parsers.text_plugins.skydrivelog.SkyDriveLog1TextPlugin

Bases: TextPlugin

Text parser plugin for SkyDrive version 1 log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'OneDrive (or SkyDrive) version 1 log file'

ENCODING = 'utf-8'

NAME = 'skydrive_log_v1'

VERIFICATION_GRAMMAR = {{{{{Group:({{{{{W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){4} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:((,.))} W:(0-9){3}) Combine:({{{{!W:(:) ':'} W:(0-9)} '!'} W:(!-~)})} quoted string, starting with ( ending with )} Suppress:(':')} rest of line} Suppress:(LineEnd)}

class plaso.parsers.text_plugins.skydrivelog.SkyDriveLog2TextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for SkyDrive version 2 log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'OneDrive (or SkyDrive) version 2 log file'

ENCODING = 'utf-8'

NAME = 'skydrive_log_v2'

VERIFICATION_GRAMMAR = {{{{{{{{Suppress:('######') 'Logging started.'} 'Version='} W:(.0-9)} Suppress:('StartSystemTime:')} Group:({{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} W:(0-9){2} Suppress:('.')} W:(0-9){3})} 'StartLocalTime:'} rest of line} Suppress:(LineEnd)}

class plaso.parsers.text_plugins.skydrivelog.SkyDriveLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SkyDrive log event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

detail

detail.

Type

str

log_level

log level.

Type

str

module

name of the module that generated the log message.

Type

str

source_code

source file and line number that generated the log message.

Type

str

DATA_TYPE = 'skydrive:log:entry'

plaso.parsers.text_plugins.snort_fastlog module

Text parser plugin for Snort3/Suricata fast-log alert log files.

Snort3/Suricata fast.log format is a single line log format as shown below. The following variants are known:

Snort3:

Month/Day-Hour:Minute:Second:FractionOfSeconds [**] [sid] “string” [**] [Classification: string] [Priority : int] {protocol} SOURCE_IP:SOURCE_PORT -> DESTINATION_IP:DESTINATION_PORT

Suricata:

Year/Month/Day-Hour:Minute:Second:FractionOfSeconds [**] [sid] string [**] [Classification: string] [Priority : int] {protocol} SOURCE_IP:SOURCE_PORT -> DESTINATION_IP:DESTINATION_PORT

Also see:

https://suricata.readthedocs.io/en/suricata-6.0.0/configuration/suricata-yaml.html#line-based-alerts-log-fast-log

class plaso.parsers.text_plugins.snort_fastlog.SnortFastAlertEventData(*args: Any, **kwargs: Any)

Bases: EventData

Snort3/Suricata fast-log alert event data.

classification

classification of the alert.

Type

str

destination_ip

destination IP-address.

Type

str

destination_port

destination TCP/UDP port number.

Type

int

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

message

message associated with the alert.

Type

str

priority

priorty, ranging from 1 (high) to 4 (very low).

Type

int

rule_identifier

identifier of the Snort3/Suricata rule that generated the alert.

Type

str

source_ip

source IP-address.

Type

str

source_port

source TCP/UDP port number.

Type

int

DATA_TYPE = 'snort:fastlog:alert'

class plaso.parsers.text_plugins.snort_fastlog.SnortFastLogTextPlugin

Bases: TextPlugin, YearLessLogFormatHelper

Text parser plugin for Snort3/Suricata fast-log alert log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Snort3/Suricata fast-log alert log (fast.log) file'

NAME = 'snort_fastlog'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{{W:(0-9){2} Suppress:('/')} {W:(0-9){2} Suppress:('/')} W:(0-9){2} | {W:(0-9){2} Suppress:('/')} W:(0-9){2}} Suppress:('-')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} Suppress:('[**]')} {{Suppress:('[') Combine:({{{{W:(0-9) ':'} W:(0-9)} ':'} W:(0-9)})} Suppress:(']')} {{[Suppress:('"')] Combine:({{W:(!#-Z\-~) | <SP>}}...)} [Suppress:('"')]} Suppress:('[**]')} [{Suppress:('[Classification:') Re:('[^]]*')} Suppress:(']')]} [{Suppress:('[Priority:') W:(0-9)} Suppress:(']')]} Suppress:('{')} W:(0-9A-Za-z)} Suppress:('}')} {{IPv4 address | IPv6 address} ^ {{{IPv4 address | IPv6 address} Suppress:(':')} W:(0-9)} Suppress:('->')} {{IPv4 address | IPv6 address} ^ {{{IPv4 address | IPv6 address} Suppress:(':')} W:(0-9)} Suppress:(LineEnd)}

plaso.parsers.text_plugins.sophos_av module

Text parser plugin for Sophos anti-virus logs (SAV.txt) files.

Also see:

https://support.sophos.com/support/s/article/KB-000033745?language=en_US

class plaso.parsers.text_plugins.sophos_av.SophosAVLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Sophos anti-virus log event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

text

Sophos anti-virus log message.

Type

str

DATA_TYPE = 'sophos:av:log'

class plaso.parsers.text_plugins.sophos_av.SophosAVLogTextPlugin

Bases: TextPlugin

Text parser plugin for Sophos anti-virus logs (SAV.txt) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Sophos anti-virus log file (SAV.txt) file'

ENCODING = 'utf-16-le'

NAME = 'sophos_av'

VERIFICATION_GRAMMAR = {{Group:({W:(0-9){4} W:(0-9){2}} W:(0-9){2} W:(0-9){2} W:(0-9){2} W:(0-9){2}) rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.syslog module

Text parser plugin for syslog log files.

Also see:

https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

class plaso.parsers.text_plugins.syslog.BaseSyslogTextPlugin

Bases: TextPlugin

Shared functionality for syslog log file text parser plugins.

class plaso.parsers.text_plugins.syslog.SyslogCommentEventData(*args: Any, **kwargs: Any)

Bases: EventData

Syslog comment event data.

body

message body.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'syslog:comment'

class plaso.parsers.text_plugins.syslog.SyslogCronTaskRunEventData(*args: Any, **kwargs: Any)

Bases: SyslogLineEventData

Syslog cron task run event data.

command

command executed.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

username

name of user the command was executed.

Type

str

DATA_TYPE = 'syslog:cron:task_run'

class plaso.parsers.text_plugins.syslog.SyslogLineEventData(*args: Any, **kwargs: Any)

Bases: EventData

Syslog line event data.

body

message body.

Type

str

hostname

hostname of the reporter.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

pid

process identifier of the reporter.

Type

str

reporter

reporter.

Type

str

severity

severity.

Type

str

DATA_TYPE = 'syslog:line'

class plaso.parsers.text_plugins.syslog.SyslogSSHEventData(*args: Any, **kwargs: Any)

Bases: SyslogLineEventData

SSH event data.

authentication_method

authentication method.

Type

str

fingerprint

fingerprint.

Type

str

ip_address

IP address.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

port

port.

Type

str

protocol

protocol.

Type

str

username

name of user the command was executed.

Type

str

class plaso.parsers.text_plugins.syslog.SyslogSSHFailedConnectionEventData(*args: Any, **kwargs: Any)

Bases: SyslogSSHEventData

SSH failed connection event data.

DATA_TYPE = 'syslog:ssh:failed_connection'

class plaso.parsers.text_plugins.syslog.SyslogSSHLoginEventData(*args: Any, **kwargs: Any)

Bases: SyslogSSHEventData

SSH login event data.

DATA_TYPE = 'syslog:ssh:login'

class plaso.parsers.text_plugins.syslog.SyslogSSHOpenedConnectionEventData(*args: Any, **kwargs: Any)

Bases: SyslogSSHEventData

SSH opened connection event data.

DATA_TYPE = 'syslog:ssh:opened_connection'

class plaso.parsers.text_plugins.syslog.SyslogTextPlugin

Bases: BaseSyslogTextPlugin

Text parser plugin for syslog log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'System log (syslog) file'

ENCODING = 'utf-8'

NAME = 'syslog'

VERIFICATION_GRAMMAR = {{{{{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} (+-)} W:(0-9){2} [Suppress:(':') W:(0-9){2}]} {{{{EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG W:(!-9;=-Z\-~)} [Suppress:(':')]} [{Suppress:('[') W:(0-9){1,5}} Suppress:(']')]} ^ {{{W:(!-~) W:(!-9;=-Z\-~)} [{Suppress:('[') W:(0-9){1,5}} Suppress:(']')]} [{Suppress:('<') W:(!-9;-=?-~)} Suppress:('>')]} [Suppress:(':')]} Re:('.*?(?=($|\n\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2})|($|\n\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}[\+|-]\d{2}:\d{2}\s)|($|\n<\d{1,3}>1\s\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}[\+|-]\d{2}:\d{2}\s))')} Suppress:(LineEnd)} ^ {{{{{{{{Suppress:('<') W:(0-9){1,2}} Suppress:('>')} Suppress:((0-9))} {{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} (+-)} W:(0-9){2} [Suppress:(':') W:(0-9){2}]} W:(!-~)} W:(!-9;=-Z\-~)} {Suppress:('-') ^ W:(0-9){1,5} W:(!-~)} W:(!-~)} Re:('.*?(?=($|\n\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2})|($|\n\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}[\+|-]\d{2}:\d{2}\s)|($|\n<\d{1,3}>1\s\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}[\+|-]\d{2}:\d{2}\s))')} Suppress:(LineEnd)}}

class plaso.parsers.text_plugins.syslog.TraditionalSyslogTextPlugin

Bases: BaseSyslogTextPlugin, YearLessLogFormatHelper

Text parser plugin for traditional syslog log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Traditional system log (syslog) file'

ENCODING = 'utf-8'

NAME = 'syslog_traditional'

VERIFICATION_GRAMMAR = Re:('(?P<date_time>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ( [1-9]|[1-9][0-9]) [0-9]{2}:[0-9]{2}:[0-9]{2}) \S+ .*\n')

plaso.parsers.text_plugins.viminfo module

Text parser plugin for viminfo files.

class plaso.parsers.text_plugins.viminfo.VimInfoEventData(*args: Any, **kwargs: Any)

Bases: EventData

VimInfo event data.

filename

the name of the file that was opened/edited.

Type

str

history_type

the Vim history type.

Type

str

history_value

the Vim history value.

Type

str

item_number

the item number of the history type.

Type

int

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'viminfo:history'

class plaso.parsers.text_plugins.viminfo.VimInfoTextPlugin

Bases: TextPlugin

Parses events from Viminfo files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Viminfo file'

ENCODING = 'utf-8'

NAME = 'viminfo'

VERIFICATION_GRAMMAR = {{'# This viminfo file was generated by Vim ' W:(.0-9)} Suppress:(LineEnd)} {{'# You may edit it if ' {"you're careful!" ^ 'you are careful!'}} Suppress:(LineEnd)} {'# Viminfo version' Suppress:(LineEnd)} {{'|' W:(,0-9)} Suppress:(LineEnd)} {"# Value of 'encoding' when this file was written" Suppress:(LineEnd)} {{{'*' 'encoding='} W:(-0-9A-Za-z)} Suppress:(LineEnd)}

plaso.parsers.text_plugins.vsftpd module

Text parser plugin for vsftpd log files.

class plaso.parsers.text_plugins.vsftpd.VsftpdLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

vsftpd log event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

text

vsftpd log message.

Type

str

DATA_TYPE = 'vsftpd:log'

class plaso.parsers.text_plugins.vsftpd.VsftpdLogTextPlugin

Bases: TextPlugin

Text parser plugin for vsftpd log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'vsftpd log file'

NAME = 'vsftpd'

VERIFICATION_GRAMMAR = {{Group:({{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(0-9){4}) rest of line} Suppress:(LineEnd)}

plaso.parsers.text_plugins.winfirewall module

Text parser plugin for Windows Firewall Log files.

class plaso.parsers.text_plugins.winfirewall.WinFirewallEventData(*args: Any, **kwargs: Any)

Bases: EventData

Windows Firewall event data.

action

action taken.

Type

str

destination_ip

destination IP address.

Type

str

destination_port

TCP or UDP destination port.

Type

int

icmp_code

ICMP code.

Type

int

icmp_type

ICMP type.

Type

int

information

additional information.

Type

str

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

packet_size

packet size.

Type

int

path

direction of the communication, which can be: SEND, RECEIVE, FORWARD, and UNKNOWN.

Type

str

protocol

IP protocol.

Type

str

source_ip

source IP address.

Type

str

source_port

TCP or UDP source port.

Type

int

tcp_ack

TCP acknowledgement number.

Type

int

tcp_flags

TCP flags.

Type

str

tcp_sequence_number

TCP sequence number.

Type

int

tcp_window_size

TCP window size.

Type

int

DATA_TYPE = 'windows:firewall_log:entry'

class plaso.parsers.text_plugins.winfirewall.WinFirewallLogTextPlugin

Bases: TextPlugin

Text parser plugin for Windows Firewall Log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Windows Firewall log file'

ENCODING = None

NAME = 'winfirewall'

VERIFICATION_GRAMMAR = {{[{Re:('#(Fields|Time Format|Version): .*') Suppress:(LineEnd)}]... Re:('#Software: Microsoft Windows Firewall')} Suppress:(LineEnd)}

VERIFICATION_LITERALS = ['#Software: Microsoft Windows Firewall ']

plaso.parsers.text_plugins.xchatlog module

Text parser plugin for XChat log files.

Information updated 24 July 2013.

The parser applies to XChat log files. Despite their apparent simplicity it’s not straightforward to manage every possible case. XChat tool allows users to specify how timestamp will be encoded (using the strftime function), by letting them specify additional separators. This parser will accept only the simplest default English form of an XChat log file, as the following:

**** BEGIN LOGGING AT Mon Dec 31 21:11:55 2001
dec 31 21:11:55 --> You are now talking on #gugle
dec 31 21:11:55 --- Topic for #gugle is plaso, nobody knows what it means
dec 31 21:11:55 Topic for #gugle set by Kristinn
dec 31 21:11:55 --- Joachim gives voice to fpi
dec 31 21:11:55 *   XChat here
dec 31 21:11:58 <fpi> ola plas-ing guys!
dec 31 21:12:00 <Kristinn> ftw!

It could be managed the missing month/day case too, by extracting the month/day information from the header. But the parser logic would become intricate, since it would need to manage day transition, chat lines crossing the midnight. From there derives the last day of the year bug, since the parser will not manage that transition.

Moreover the strftime is locale-dependent, so month names, footer and headers can change, even inside the same log file. Being said that, the following will be the main logic used to parse the log files (note that the first header must be ‘**** BEGIN …’ otherwise file will be skipped).

1) Check for ‘****’ 1.1) If ‘BEGIN LOGGING AT’ (English) 1.1.1) Extract the YEAR 1.1.2) Generate new event start logging 1.1.3) set parsing = True 1.2) If ‘END LOGGING’ 1.2.1) If parsing, set parsing=False 1.2.2) If not parsing, log debug 1.2.3) Generate new event end logging 1.3) If not BEGIN|END we are facing a different language and we don’t now which language! If parsing is True, set parsing=False and log debug 2) Not ‘****’ so we are parsing a line 2.1) If parsing = True, try to parse line and generate event 2.2) If parsing = False, skip until next good header is found

Also see:

http://xchat.org

class plaso.parsers.text_plugins.xchatlog.XChatLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

XChat Log event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

nickname

nickname.

Type

str

text

text sent by nickname or other text (server, messages, etc.).

Type

str

DATA_TYPE = 'xchat:log:line'

class plaso.parsers.text_plugins.xchatlog.XChatLogTextPlugin

Bases: TextPlugin, YearLessLogFormatHelper

Text parser plugin for XChat log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'XChat log file'

ENCODING = 'utf-8'

NAME = 'xchatlog'

VERIFICATION_GRAMMAR = {{{Suppress:('****') Group:({{W:(!-~) W:(!-~)} W:(!-~)})} Group:({{{Group:({{{{{{'Sun' | 'Mon'} | 'Tue'} | 'Wed'} | 'Thu'} | 'Fri'} | 'Sat'}) W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(0-9){4})} Suppress:(LineEnd)}

plaso.parsers.text_plugins.xchatscrollback module

Text parser plugin for XChat scrollback log files.

Information updated 06 September 2013.

Besides the logging capability, the XChat IRC client has the option to record the text for opened tabs. So, when rejoining a particular channel and/or a particular conversation, XChat will display the last messages exchanged. This artifact could be present, if not disabled, even if normal logging is disabled.

From the XChat FAQ (http://xchat.org/faq):

Q: ‘How do I keep text from previous sessions from being displayed when I join a channel?’ R: ‘Starting in XChat 2.8.4, XChat implemented the Scrollback feature which displays text from the last time you had a particular tab open. To disable this setting for all channels, Go to Settings -> Preferences -> Logging and uncheck Display scrollback from previous session. In XChat 2.8.6, XChat implemented both Per Channel Logging, and Per Channel Scrollbacks. If you are on 2.8.6 or newer, you can disable loading scrollback for just one particular tab name by right clicking on the tab name, selecting Settings, and then unchecking Reload scrollback’

The log file format differs from logging format, but it’s quite simple ‘T 1232315916 Python interface unloaded’ <T><space><decimal timestamp><space><text><n>

The time reported in the log is the number of seconds since January 1, 1970 00:00:00 UTC (from source code, time(0)). The <text> part could contain some ‘decorators’ (bold, underline, colors indication, etc.), so the parser should strip those control fields.

Also see:

http://xchat.org

class plaso.parsers.text_plugins.xchatscrollback.XChatScrollbackEventData(*args: Any, **kwargs: Any)

Bases: EventData

XChat Scrollback line event data.

added_time

date and time the log entry was added.

Type

dfdatetime.DateTimeValues

nickname

nickname.

Type

str

text

text sent by nickname service messages.

Type

str

DATA_TYPE = 'xchat:scrollback:line'

class plaso.parsers.text_plugins.xchatscrollback.XChatScrollbackLogTextPlugin

Bases: TextPlugin

Text parser plugin for XChat scrollback log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'XChat scrollback log file'

ENCODING = 'utf-8'

NAME = 'xchatscrollback'

VERIFICATION_GRAMMAR = Re:('T (?P<timestamp>\d{1,10}) (?P<raw_text>.*)\n')

plaso.parsers.text_plugins.zsh_extended_history module

Text parser plugin for ZSH extended_history files.

References

https://zsh.sourceforge.io/Doc/Release/Options.html#index-EXTENDEDHISTORY

class plaso.parsers.text_plugins.zsh_extended_history.ZshExtendedHistoryTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for ZSH extended history files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'ZSH extended history file'

ENCODING = 'utf-8'

NAME = 'zsh_extended_history'

VERIFICATION_GRAMMAR = {{Re:(': [0-9]+:[0-9]+;\S') rest of line} Suppress:(LineEnd)}

class plaso.parsers.text_plugins.zsh_extended_history.ZshHistoryEventData(*args: Any, **kwargs: Any)

Bases: EventData

ZSH history event data.

command

command that was run.

Type

str

elapsed_seconds

number of seconds that the command took to execute.

Type

int

last_written_time

entry last written date and time.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'shell:zsh:history'

Module contents

Imports for the text parser.