"""Text parser plugin for Atlassian Jira log files.
This is for the atlassian-jira.log file, one of multiple log files
produced by a Jira DC/Server installation.
"""
import pyparsing
from dfdatetime import time_elements as dfdatetime_time_elements
from plaso.containers import events
from plaso.lib import errors
from plaso.parsers import text_parser
from plaso.parsers.text_plugins import interface
[docs]
class AtlassianJiraEventData(events.EventData):
"""Jira event data.
Attributes:
body (str): the freeform body of the log line.
level (str): the logging level of the event.
logger_class (str): the Jira class responsible for logging.
logger_method (str): name of the method within the class.
thread (str): the Jira thread from which the log event originated.
written_time (dfdatetime.DateTimeValues): entry written date and time.
"""
DATA_TYPE = 'atlassian:jira:line'
[docs]
def __init__(self):
"""Initializes event data."""
super().__init__(data_type=self.DATA_TYPE)
self.body = None
self.level = None
self.logger_class = None
self.logger_method = None
self.thread = None
self.written_time = None
[docs]
class AtlassianJiraTextPlugin(interface.TextPlugin):
"""Text parser plugin for Atlassian Jira log files."""
NAME = 'atlassian_jira'
DATA_FORMAT = 'Atlassian Jira log file'
ENCODING = 'utf-8'
_TWO_DIGITS = pyparsing.Word(pyparsing.nums, exact=2).set_parse_action(
lambda tokens: int(tokens[0], 10))
_THREE_DIGITS = pyparsing.Word(pyparsing.nums, exact=3).set_parse_action(
lambda tokens: int(tokens[0], 10))
_FOUR_DIGITS = pyparsing.Word(pyparsing.nums, exact=4).set_parse_action(
lambda tokens: int(tokens[0], 10))
# Jira log levels
_JIRA_LEVELS = [
'DEBUG', 'INFO', 'WARN', 'ERROR', 'FATAL']
# Date and time format: 2022-07-12 01:08:59,489
# Format: YYYY-MM-DD HH:MM:SS,mmm (comma-separated milliseconds)
_DATE_TIME = (
_FOUR_DIGITS + pyparsing.Suppress('-') + _TWO_DIGITS +
pyparsing.Suppress('-') + _TWO_DIGITS + _TWO_DIGITS +
pyparsing.Suppress(':') + _TWO_DIGITS + pyparsing.Suppress(':') +
_TWO_DIGITS + pyparsing.Suppress(',') + _THREE_DIGITS).set_results_name(
'date_time')
# Log level (DEBUG, INFO, WARN, ERROR, FATAL)
_LOG_LEVEL = pyparsing.oneOf(_JIRA_LEVELS).set_results_name('level')
# Thread name enclosed in brackets: [http-nio-8080-exec-1]
# or [Caesium-1-4] or [scheduler_Worker-1]
# Allows alphanumerics, hyphens, underscores, dots, colons, and spaces
_JIRA_THREAD = (
pyparsing.Suppress('[') +
pyparsing.Word(
pyparsing.alphanums + '-_.:' + ' ').set_results_name('thread') +
pyparsing.Suppress(']'))
# Logger class name enclosed in brackets
# [com.atlassian.jira.startup.JiraStartupLogger]
_JIRA_LOGGER = (
pyparsing.Suppress('[') +
pyparsing.SkipTo(']').set_results_name('logger_class') +
pyparsing.Suppress(']'))
# Logger method name: start, doFilter, <init>, lambda$execute$0
_JIRA_LOGGER_METHOD = (
pyparsing.Word(
pyparsing.alphanums + '_$<>').set_results_name('logger_method'))
# Log message body - rest of line
_JIRA_LOG_MESSAGE = pyparsing.SkipTo(
pyparsing.LineEnd()).set_results_name('body')
# Complete log line structure
# Format: <timestamp> <level> [<thread>] [<logger_class>] <method> <message>
_JIRA_LOG_LINE = (
_DATE_TIME +
_LOG_LEVEL +
_JIRA_THREAD +
_JIRA_LOGGER +
_JIRA_LOGGER_METHOD +
_JIRA_LOG_MESSAGE)
_LINE_STRUCTURES = [('log_entry', _JIRA_LOG_LINE)]
VERIFICATION_GRAMMAR = _JIRA_LOG_LINE
def _ParseRecord(self, parser_mediator, key, structure):
"""Parses a pyparsing structure.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfVFS.
key (str): name of the parsed structure.
structure (pyparsing.ParseResults): tokens from a parsed log line.
Raises:
ParseError: if the structure cannot be parsed.
"""
if key != 'log_entry':
raise errors.ParseError(
f'Unable to parse record, unknown structure: {key:s}')
time_elements_structure = self._GetValueFromStructure(
structure, 'date_time')
event_data = AtlassianJiraEventData()
event_data.body = self._GetValueFromStructure(
structure, 'body', default_value='').strip() or None
event_data.level = self._GetValueFromStructure(structure, 'level')
event_data.logger_class = self._GetValueFromStructure(
structure, 'logger_class')
event_data.logger_method = self._GetValueFromStructure(
structure, 'logger_method')
event_data.thread = self._GetValueFromStructure(structure, 'thread')
event_data.written_time = self._ParseTimeElements(time_elements_structure)
parser_mediator.ProduceEventData(event_data)
def _ParseTimeElements(self, time_elements_structure):
"""Parses date and time elements of a log line.
Args:
time_elements_structure (pyparsing.ParseResults): date and time elements
of a log line.
Returns:
dfdatetime.TimeElements: date and time value.
Raises:
ParseError: if a valid date and time value cannot be derived from
the time elements.
"""
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_structure)
date_time.is_local_time = True
return date_time
except (IndexError, TypeError, ValueError) as exception:
raise errors.ParseError(
f'Unable to parse time elements with error: {exception!s}')
[docs]
def CheckRequiredFormat(self, parser_mediator, text_reader):
"""Check if the log record has the minimal structure required.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfVFS.
text_reader (EncodedTextReader): text reader.
Returns:
bool: True if this is the correct plugin, False otherwise.
"""
try:
structure = self._VerifyString(text_reader.lines)
except errors.ParseError:
return False
time_elements_structure = self._GetValueFromStructure(
structure, 'date_time')
try:
self._ParseTimeElements(time_elements_structure)
except errors.ParseError:
return False
return True
text_parser.TextLogParser.RegisterPlugin(AtlassianJiraTextPlugin)