How to write an analysis plugin¶
Create file and class¶
Plugin file in plaso/analysis/
Create an empty subclass of plaso.analysis.interface.AnalysisPlugin
Register it with the analysis plugin by calling AnalysisPluginManager.RegisterPlugin
Test file in tests/analysis/
Create an empty subclass of tests.analysis.test_lib.AnalysisPluginTestCase
Write minimal tests¶
Write a test that loads your plugin
It will fail initially, but running the test while you’re developing your plugin gives you a quick way to see if your code is doing what you expect.
Implement your subclass of plaso.analysis.interface.AnalysisPlugin
You’ll need to define/override:
You may also want to override:
ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.
Add additional tests that test your plugin
__init__.py to import your plugin in the correct alphabetical order.