plaso.parsers.text_plugins package

Submodules

plaso.parsers.text_plugins.android_logcat module

Text parser plugin for Android logcat files.

Android logcat can have a number of output formats. This parser supports: * ‘threadtime’ format * ‘time’ format

The log file format is: date time PID-TID/package priority/tag: message

For example: 12-10 13:02:50.071 1901-4229/com.google.android.gms V/AuthZen: Handling delegate intent.

Where priority is: V: Verbose (lowest priority) D: Debug I: Info W: Warning E: Error A: Assert

In addition, support for the format modifiers: * date with a year * user identifier (uid) * microseconds fraction of second precision (usec) * time zone offset

Also see:

https://developer.android.com/studio/debug/logcat

class plaso.parsers.text_plugins.android_logcat.AndroidLogcatEventData(*args: Any, **kwargs: Any)

Bases: EventData

Android logcat event data.

component_tag

the tag that indicates the system component from which the logcat line originates.

Type:

str

file_offset

the file offset of where the log message was parsed.

Type:

int

message

the log message.

Type:

str

pid

process identifier (PID) that created the logcat line.

Type:

int

priority

a character in the set {V, D, I, W, E, F, S}, which is ordered from lowest to highest priority.

Type:

str

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

thread_identifier

thread identifier (TID) that created the logcat line.

Type:

int

user_identifier

the user identifier (UID) or Android ID of the logged process.

Type:

int

DATA_TYPE = 'android:logcat'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.android_logcat.AndroidLogcatTextPlugin

Bases: TextPlugin, DateLessLogFormatHelper

Text parser plugin for Android logcat files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Android logcat file'

ENCODING = 'utf-8'

NAME = 'android_logcat'

VERIFICATION_GRAMMAR = {{{Suppress:('--------- beginning of ') events | kernel | main | radio | system} Suppress:(end of line)} ^ {{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} ^ {W:(0-9){2} Suppress:('-')} W:(0-9){2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} {W:(0-9){3} ^ W:(0-9){6} [(+-) W:(0-9){2}} W:(0-9){2]} {{{{{W:(0-9) {W:(0-9) W:(0-9)}} ^ {W:(0-9) W:(0-9)}} (D-FISVW)} [W:( -9;-~)]} ^ {{{(D-FISVW) Suppress:('/')} W:( -')-~)} Suppress:('(')} {W:(0-9) ^ {{W:(0-9) Suppress:(':')} W:(0-9)} Suppress:(')')} Suppress:(': ')} rest of line} Suppress:(end of line)}}

plaso.parsers.text_plugins.apache_access module

Text parser plugin for Apache access log (access.log) files.

Parser based on the two default apache formats, common and combined log format defined in https://httpd.apache.org/docs/2.4/logs.html

class plaso.parsers.text_plugins.apache_access.ApacheAccessLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Apache access log event data.

http_request_referer

http request referer header information.

Type:

str

http_request

first line of http request.

Type:

str

http_request_user_agent

http request user agent header information.

Type:

str

http_response_bytes

http response bytes size without headers.

Type:

int

http_response_code

http response code from server.

Type:

int

ip_address

IPv4 or IPv6 addresses.

Type:

str

port_number

canonical port of the server serving the request.

Type:

int

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

remote_name

remote logname (from identd, if supplied).

Type:

str

server_name

canonical hostname of the server serving the request.

Type:

str

user_name

logged user name.

Type:

str

DATA_TYPE = 'apache:access_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.apache_access.ApacheAccessLogTextPlugin

Bases: TextPlugin

Text parser plugin for Apache access log (access.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Apache access log (access.log) file'

NAME = 'apache_access'

VERIFICATION_GRAMMAR = {{{{{{{IPv4 address | IPv6 address} {W:(0-9A-Za-z) | '-'} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')})} {{Suppress:('"') Group:({{CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE Re:('\\S*')} Combine:({'HTTP/' W:(.0-9)})})} Suppress:('"')} W:(0-9)} {'-' | W:(0-9)} string enclosed in '"'} {{Suppress:('"') !W:(")} Suppress:('"')} Suppress:(end of line)} ^ {{{{IPv4 address | IPv6 address} {W:(0-9A-Za-z) | '-'} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')})} {{Suppress:('"') Group:({{CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE Re:('\\S*')} Combine:({'HTTP/' W:(.0-9)})})} Suppress:('"')} W:(0-9)} {'-' | W:(0-9)} Suppress:(end of line)}} ^ {{{{{{W:(-.0-9A-Za-z) Suppress:(':')} W:(0-9)} {IPv4 address | IPv6 address} {W:(0-9A-Za-z) | '-'} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')})} {{Suppress:('"') Group:({{CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE Re:('\\S*')} Combine:({'HTTP/' W:(.0-9)})})} Suppress:('"')} W:(0-9)} {'-' | W:(0-9)} string enclosed in '"'} {{Suppress:('"') !W:(")} Suppress:('"')} Suppress:(end of line)}}

VERIFICATION_LITERALS = ['"CONNECT ', '"DELETE ', '"GET ', '"HEAD ', ' HTTP/', '"OPTIONS ', '"PATCH ', '"POST ', '"PUT ', '"TRACE ']

plaso.parsers.text_plugins.apt_history module

Text parser plugin for Advanced Packaging Tool (APT) History log files.

class plaso.parsers.text_plugins.apt_history.APTHistoryLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

APT History log event data.

command

command.

Type:

str

command_line

command line.

Type:

str

end_time

date and time the end of the log entry was added.

Type:

dfdatetime.DateTimeValues

error

reported error.

Type:

str

packages

packages that were affected.

Type:

str

requester

user requesting the activity.

Type:

str

start_time

date and time the start of the log entry was added.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:apt_history_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.apt_history.APTHistoryLogTextPlugin

Bases: TextPlugin

Text parser plugin for Advanced Packaging Tool (APT) History log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Advanced Packaging Tool (APT) History log file'

ENCODING = 'utf-8'

NAME = 'apt_history'

VERIFICATION_GRAMMAR = {[Suppress:(end of line)]... {{'Start-Date:' Re:('(?P<date_time>[0-9]{4}-[0-9]{2}-[0-9]{2}  [0-9]{2}:[0-9]{2}:[0-9]{2})')} Suppress:(end of line)}}

VERIFICATION_LITERALS = ['Commandline:', 'Downgrade:', 'Error:', 'Install:', 'Purge:', 'Remove:', 'Requested-By:', 'Start-Date:', 'Upgrade:']

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.aws_elb_access module

Text parser plugin for AWS ELB access logs.

The AWS documentation is not clear about the meaning of the “target_port_list” field. The assumption is that it refers to a list of possible backend instances’ IP addresses that could receive the client’s request. This parser stores the “target_port_list” data in the “destination_list” attribute of an EventData object.

Also see:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

class plaso.parsers.text_plugins.aws_elb_access.AWSELBEventData(*args: Any, **kwargs: Any)

Bases: EventData

AWS Elastic Load Balancer access log event data.

actions_executed

The actions taken when processing the request.

Type:

str

alpn_back_end_protocol

The application protocol negotiated with the target, in string format. If no ALPN policy is configured in the TLS listener, no matching protocol is found, or no valid protocol list is sent, this value is set to -. (only for network load balancer logs)

Type:

str

alpn_client_preference_list

The value of the application_layer_protocol_negotiation extension in the client hello message. This value is URL-encoded. Each protocol is enclosed in double quotes and protocols are separated by a comma. If no ALPN policy is configured in the TLS listener, no valid client hello message is sent, or the extension is not present, this value is set to -. The string is truncated if it is longer than 256 bytes. (only for network load balancer logs)

Type:

str

alpn_front_end_protocol

The application protocol negotiated with the client, in string format. If no ALPN policy is configured in the TLS listener, no matching protocol is found, or no valid protocol list is sent, this value is set to -. (only for network load balancer logs)

Type:

str

chosen_cert_arn

The ARN of the certificate presented to the source.

Type:

str

chosen_cert_serial

Reserved for future use. This value is always set to -. (only for network load balancer logs)

Type:

str

classification

The classification for desync mitigation.

Type:

str

classification_reason

The classification reason code.

Type:

str

connection_duration

duration of the connection to complete, from start to closure, in milliseconds. (only for network load balancer logs)

Type:

str

destination_group_arn

The Amazon Resource Name (ARN) of the destination group.

Type:

str

destination_ip_address

The IP address of the destination that processed this request.

Type:

str

destination_list

A space-delimited list of IP addresses and ports for the destinations that processed this request.

Type:

str

destination_port

The port of the destination that processed this request.

Type:

int

destination_processing_duration

duration from the time the load balancer sent the request to a destination until the destination started to send the response headers.

Type:

str

destination_status_code

The status code of the response from the destination.

Type:

int

destination_status_code_list

A space-delimited list of status codes.

Type:

str

domain_name

The SNI domain provided by the source during the TLS handshake.

Type:

str

error_reason

The error reason code, enclosed in double quotes.

Type:

str

handshake_duration

duration of the handshake to complete after the TCP connection is established, including client-side delays, in milliseconds. This time is included in the connection_duration field. (only for network load balancer logs)

Type:

str

incoming_tls_alert

The integer value of TLS alerts received by the load balancer from the client, if present. (only for network load balancer logs)

Type:

str

listener

The resource ID of the TLS listener for the connection. (only for network load balancer logs)

Type:

str

matched_rule_priority

The priority value of the rule that matched the request.

Type:

int

received_bytes

The size of the request, in bytes, received from the source.

Type:

int

redirect_url

The URL of the redirect destination.

Type:

str

request_processing_duration

total duration from the time the load balancer received the request until the time it sent the request to a destination.

Type:

str

request_time

date and time a request was sent.

Type:

dfdatetime.DateTimeValues

request_type

The type of request or connection.

Type:

str

resource_identifier

The resource ID of the load balancer.

Type:

str

response_processing_duration

duration of processing a response.

Type:

str

response_time

date and time a response was sent.

Type:

dfdatetime.DateTimeValues

sent_bytes

The size of the response, in bytes, sent to the source.

Type:

int

ssl_cipher

The SSL cipher of the HTTPS listener.

Type:

str

ssl_protocol

The SSL protocol of the HTTPS listener.

Type:

str

source_ip_address

The IP address of the requesting source.

Type:

str

source_port

The port of the requesting source.

Type:

int

tls_cipher

The cipher suite negotiated with the client, in OpenSSL format. If TLS negotiation does not complete, this value is set to -. (only for network load balancer logs)

Type:

str

tls_named_group

Reserved for future use. This value is always set to -. (only for network load balancer logs)

Type:

str

tls_protocol_version

The TLS protocol negotiated with the client, in string format. If TLS negotiation does not complete, this value is set to -. (only for network load balancer logs)

Type:

str

trace_identifier

The contents of the X-Amzn-Trace-Id header.

Type:

str

user_agent

A User-Agent string.

Type:

str

version

The version of the log entry. (only for network load balancer logs)

Type:

str

DATA_TYPE = 'aws:elb:access'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.aws_elb_access.AWSELBTextPlugin

Bases: TextPlugin

Text parser plugin for AWS ELB access log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'AWS ELB Access log file'

ENCODING = 'utf-8'

NAME = 'aws_elb_access'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{{W:(!-~) | {'"-"' | '-'}} Re:('([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6})Z')} {W:(!-~) | {'"-"' | '-'} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'}} {W:(0-9) | {'"-"' | '-'}} quoted string using single or double quotes} quoted string using single or double quotes} {W:(!-~) | {'"-"' | '-'} {W:(!-~) | {'"-"' | '-'} {W:(!-~) | {'"-"' | '-'}} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} {W:(-, 0-9) | {W:(0-9) | {'"-"' | '-'} Re:('([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6})Z')} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} quoted string using single or double quotes} Suppress:(end of line)} ^ {{Re:('([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6})Z') {W:(!-~) | {'"-"' | '-'}}} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(.0-9) | '-1'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'} {W:(-, 0-9) | {W:(0-9) | {'"-"' | '-'}}} {W:(-, 0-9) | {W:(0-9) | {'"-"' | '-'}}} quoted string using single or double quotes} quoted string using single or double quotes} {W:(!-~) | {'"-"' | '-'} {W:(!-~) | {'"-"' | '-'} Suppress:(end of line)}} ^ {{W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} Re:('([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2})')} {W:(!-~) | {'"-"' | '-'} {W:(!-~) | {'"-"' | '-'}} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} Group:({{IPv4 address | IPv6 address} Suppress:(':')} {W:(0-9){1,6} | {'"-"' | '-'} | {'"-"' | '-'}})} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'} {W:(0-9) | {'"-"' | '-'}} {W:(0-9) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {W:(!-~) | {'"-"' | '-'}} {quoted string using single or double quotes | '-'} Suppress:(end of line)}}

plaso.parsers.text_plugins.bash_history module

Text parser plugin for bash history files.

class plaso.parsers.text_plugins.bash_history.BashHistoryEventData(*args: Any, **kwargs: Any)

Bases: EventData

Bash history log event data.

command

command that was executed.

Type:

str

written_time

date and time the entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'bash:history:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.bash_history.BashHistoryTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for bash history files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Bash history file'

ENCODING = 'utf-8'

NAME = 'bash_history'

VERIFICATION_GRAMMAR = {{Re:('#(?P<timestamp>[1-9][0-9]{8,9})\\n') {rest of line Suppress:(end of line)}} ^ {{rest of line Suppress:(end of line)} Re:('#(?P<timestamp>[1-9][0-9]{8,9})\\n')} {rest of line Suppress:(end of line)}}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.confluence_access module

Text plugin for Confluence access log (conf_access_log[DATE].log) files.

Also see:

https://confluence.atlassian.com/doc/configure-access-logs-1044780567.html https://confluence.atlassian.com/confkb/audit-confluence-using-the-tomcat-valve-component-223216846.html

class plaso.parsers.text_plugins.confluence_access.ConfluenceAccessEventData(*args: Any, **kwargs: Any)

Bases: EventData

Confluence access event data.

forwarded_for

request X-FORWARDED-FOR header value.

Type:

str

http_request_method

HTTP request method.

Type:

str

http_request_referer

HTTP request referer header information.

Type:

str

http_request_uri

HTTP request URI.

Type:

str

http_request_user_agent

HTTP request user agent header information.

Type:

str

http_response_bytes

HTTP response bytes size without headers.

Type:

int

http_response_code

HTTP response code from server.

Type:

int

http_version

HTTP request version.

Type:

str

process_duration

time taken to process the request in milliseconds.

Type:

int

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

remote_name

remote hostname or IP address

Type:

str

thread_name

name of the thread that handled the request.

Type:

str

user_name

response X-AUSERNAME header value.

Type:

str

DATA_TYPE = 'confluence:access'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.confluence_access.ConfluenceAccessTextPlugin

Bases: TextPlugin

Text plugin for Confluence access log (conf_access_log[DATE].log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Confluence access log (access.log) file'

NAME = 'confluence_access'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')}) {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'}} W:(-0-9A-Za-z)} {{IPv4 address | IPv6 address} | W:(-.0-9A-Za-z)} CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE} W:(#%&+--:<-?A-[...)} W:(.-9A-Za-z)} W:(0-9)} W:(0-9)} 'ms'} {'-' | W:(0-9)} W:(#%&+--:<-?A-[...)} rest of line} Suppress:(end of line)} ^ {{{{{{{{{{{Group:({{{{{{{Suppress:('[') W:(0-9){2}} Suppress:('/')} W:(A-Za-z){3} Suppress:('/')} W:(0-9){4} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Suppress:(']')}) {IPv4 address | IPv6 address}} {{W:(.0-9@-Za-z) | W:(0-9A-Za-z)} | '-'} W:(-0-9A-Za-z)} {{IPv4 address | IPv6 address} | W:(-.0-9A-Za-z)} CONNECT | DELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT | TRACE} W:(#%&+--:<-?A-[...)} W:(.-9A-Za-z)} W:(0-9)} W:(0-9)} 'ms'} {'-' | W:(0-9)} W:(#%&+--:<-?A-[...)} rest of line} Suppress:(end of line)}}

VERIFICATION_LITERALS = [' CONNECT ', ' DELETE ', ' GET ', ' HEAD ', ' HTTP/', ' OPTIONS ', ' PATCH ', ' POST ', ' PUT ', ' TRACE ']

plaso.parsers.text_plugins.cri module

Text file parser plugin for Container Runtime Interface (CRI) log format.

This is a text-based log format used in kubernetes/GKE.

Also see:

https://github.com/kubernetes/design-proposals-archive/blob/main/node/kubelet-cri-logging.md

class plaso.parsers.text_plugins.cri.CRIEventData(*args: Any, **kwargs: Any)

Bases: EventData

CRI log event data.

body

the log message body.

Type:

str

event_datetime

the datetime of the log message.

Type:

time_elements.TimeElementsInNanoseconds

stream

the log stream. Currently only ‘stdout’ and ‘stderr’ are supported.

Type:

str

tag

the log tag. Currently only ‘P’ (partial) and ‘F’ (full) are supported.

Type:

str

DATA_TYPE = 'cri:container:log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.cri.CRITextPlugin

Bases: TextPlugin

Text file parser plugin for CRI log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

DATA_FORMAT = 'Container Runtime Interface log file'

ENCODING = 'utf-8'

NAME = 'cri_log'

VERIFICATION_GRAMMAR = {{Re:('\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{1,9}Z') {'stderr' ^ 'stdout'}} P | F} {rest of line Suppress:(end of line)}

plaso.parsers.text_plugins.dpkg module

Text parser plugin for Debian package manager log (dpkg.log) files.

An example:

2016-08-03 15:25:53 install base-passwd:amd64 <none> 3.5.33

Log messages are of the form:

YYYY-MM-DD HH:MM:SS startup type command Where type is:

archives (with a command of unpack or install) packages (with a command of configure, triggers-only, remove or purge)

YYYY-MM-DD HH:MM:SS status state pkg installed-version

YYYY-MM-DD HH:MM:SS action pkg installed-version available-version Where action is:

install, upgrade, configure, trigproc, disappear, remove or purge.

YYYY-MM-DD HH:MM:SS conffile filename decision Where decision is install or keep.

class plaso.parsers.text_plugins.dpkg.DpkgEventData(*args: Any, **kwargs: Any)

Bases: EventData

Dpkg event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

body

body of the log line.

Type:

str

DATA_TYPE = 'linux:dpkg_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.dpkg.DpkgTextPlugin

Bases: TextPlugin

Text parser plugin for Debian package manager log (dpkg.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Debian package manager log (dpkg.log) file'

ENCODING = 'utf-8'

NAME = 'dpkg'

VERIFICATION_GRAMMAR = {{Re:('(?P<date_time>[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}) ') {Combine:({{'startup' archives | packages} unpack | install | configure | triggers-only | remove | purge}) | Combine:({{{'status' W:(!-~)} W:(!-~)} W:(!-~)}) | Combine:({{{install | upgrade | configure | trigproc | disappear | remove | purge W:(!-~)} W:(!-~)} W:(!-~)}) | Combine:({{'conffile' W:(!-~)} install | keep})}} Suppress:(end of line)}

VERIFICATION_LITERALS = [' conffile ', ' configure ', ' disappear ', ' install ', ' purge ', ' remove ', ' startup ', ' status ', ' trigproc ', ' upgrade ']

plaso.parsers.text_plugins.gdrive_synclog module

Text parser plugin for Google Drive Sync log files.

class plaso.parsers.text_plugins.gdrive_synclog.GoogleDriveSyncLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Google Drive Sync log event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

level

logging level of event such as “DEBUG”, “WARN”, “INFO” and “ERROR”.

Type:

str

message

log message.

Type:

str

process_identifier

process identifier of process which logged event.

Type:

int

source_code

filename:line_number of source file which logged event.

Type:

str

thread

colon-separated thread identifier in the form “ID:name” which logged event.

Type:

str

DATA_TYPE = 'google_drive_sync_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.gdrive_synclog.GoogleDriveSyncLogTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for Google Drive Sync log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Google Drive Sync log file'

ENCODING = 'utf-8'

NAME = 'gdrive_synclog'

VERIFICATION_GRAMMAR = Re:('(?P<date_time>[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}[,.][0-9]{3} [+-][0-9]{4}) [A-Z]+ pid=[0-9]+ [0-9]+:\\S+[ ]+\\S+:[0-9]+ .*\\n')

VERIFICATION_LITERALS = [' ERROR ', ' FATAL ', ' INFO ', ' pid=', ' WARNING ']

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.google_logging module

Text parser plugin for Google-formatted log files.

Note that this format is also used by Kubernetes.

Also see:

https://github.com/google/glog https://github.com/kubernetes/klog

class plaso.parsers.text_plugins.google_logging.GoogleLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Google-formatted log file event data.

file_name

the name of the source file that logged the message.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

line_number

the line number in the source file where the logging statement is.

Type:

int

message

the log message.

Type:

str

priority

the priority of the message - I, W, E or F. These values represent messages logged at INFO, WARNING, ERROR or FATAL severities, respectively.

Type:

str

thread_identifier

the identifier of the thread that recorded the message.

Type:

int

DATA_TYPE = 'googlelog:log'

__init__(data_type='googlelog:log')

Initializes event data.

Parameters:

data_type (Optional[str]) – event data type indicator.

class plaso.parsers.text_plugins.google_logging.GoogleLogTextPlugin

Bases: TextPlugin, DateLessLogFormatHelper

Text parser plugin for Google-formatted log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Google-formatted log file'

NAME = 'googlelog'

VERIFICATION_GRAMMAR = {Re:('Log file created at: (?P<date_time>[0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2})\\n') Re:('Running on machine: .*\\n')}

VERIFICATION_LITERALS = ['Log file created at: ', 'Running on machine: ']

plaso.parsers.text_plugins.iis module

Text parser plugin for Microsoft IIS log files.

class plaso.parsers.text_plugins.iis.IISEventData(*args: Any, **kwargs: Any)

Bases: EventData

IIS log event data.

cs_cookie

Content of a sent or received cookie.

Type:

str

cs_host

HTTP host header name.

Type:

str

cs_referrer

Site that referred to the requested site.

Type:

str

cs_uri_query

URI query that was requested.

Type:

str

cs_username

Username of the authenticated user that accessed the server, where anonymous users are indicated by a hyphen.

Type:

str

dest_ip

IP address of the server that generated the logged activity.

Type:

str

dest_port

Server port number.

Type:

str

http_method

HTTP request method, such as GET or POST.

Type:

str

http_status

HTTP status code that was returned by the server.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

protocol_version

HTTP protocol version that was used.

Type:

str

received_bytes

Number of bytes received and processed by the server.

Type:

str

requested_uri_stem

File requested, such as index.php or Default.htm

Type:

str

s_computername

Name of the server that generated the logged activity.

Type:

str

sc_substatus

HTTP substatus error code that was returned by the server.

Type:

str

sc_win32_status

Windows status code of the server.

Type:

str

sent_bytes

Number of bytes sent by the server.

Type:

str

source_ip

IP address of the client that made the request.

Type:

str

s_sitename

Service name and instance number that was running on the client.

Type:

str

time_taken

Time taken, in milliseconds, to process the request.

Type:

str

user_agent

User agent that was used.

Type:

str

DATA_TYPE = 'iis:log:line'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.iis.WinIISTextPlugin

Bases: TextPlugin

Text parser plugin for Microsoft IIS log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Microsoft IIS log file'

ENCODING = 'utf-8'

NAME = 'winiis'

PORT = {W:(0-9){1,6} | '-'}

VERIFICATION_GRAMMAR = {[{Re:('#(Date|Fields|Version): .*') Suppress:(end of line)}]... {Re:('#Software: Microsoft Internet Information Services [0-9]+.[0-9]+') Suppress:(end of line)}}

VERIFICATION_LITERALS = ['#Software: Microsoft Internet Information Services ']

__init__()

Initializes a parser.

plaso.parsers.text_plugins.interface module

This file contains the interface for text plugins.

class plaso.parsers.text_plugins.interface.TextPlugin

Bases: BasePlugin

The interface for text plugins.

abstract CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Text file'

ENCODING = None

NAME = 'text_plugin'

Process(parser_mediator, file_object=None, **kwargs)

Extracts events from a text log file.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• file_object (Optional[dfvfs.FileIO]) – a file-like object.

VERIFICATION_GRAMMAR = None

VERIFICATION_LITERALS = None

__init__()

Initializes a parser.

class plaso.parsers.text_plugins.interface.TextPluginWithLineContinuation

Bases: TextPlugin

The interface for text plugins with line continuation.

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.ios_lockdownd module

Text parser plugin for iOS lockdown daemon log files (ios_lockdownd.log).

class plaso.parsers.text_plugins.ios_lockdownd.IOSLockdowndLogData(*args: Any, **kwargs: Any)

Bases: EventData

iOS lockdown daemon (lockdownd) log event data.

body

body of the log entry.

Type:

str

process_identifier

identifier of the process making the request to lockdownd.

Type:

int

written_time

date and time the log entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:lockdownd_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.ios_lockdownd.IOSLockdowndLogTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for iOS lockdown daemon log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'iOS lockdown daemon log'

NAME = 'ios_lockdownd'

VERIFICATION_GRAMMAR = {{{{{{{{{W:(0-9){2} Suppress:('/')} W:(0-9){2} Suppress:('/')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:((,.))} W:(0-9){6} Suppress:('pid=')} W:(0-9)} rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.ios_logd module

Text parser plugin for iOS sysdiagnose logd files (logd.0.log).

class plaso.parsers.text_plugins.ios_logd.IOSSysdiagnoseLogdData(*args: Any, **kwargs: Any)

Bases: EventData

iOS sysdiagnose logd event data.

body

body of the event line.

Type:

str

logger

name of the process that generated the event.

Type:

str

written_time

date and time the log entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:sysdiagnose:logd:line'

__init__()

Initializes iOS sysdiagnose logd event data.

class plaso.parsers.text_plugins.ios_logd.IOSSysdiagnoseLogdTextPlugin

Bases: TextPlugin

Text parser plugin for iOS sysdiagnose logd files (logd.0.log).

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'iOS sysdiagnose logd file'

NAME = 'ios_logd'

VERIFICATION_GRAMMAR = {{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {(+-) W:(0-9){2}} W:(0-9){2} Combine:({{{W:(A-Z_a-z) '['} W:(0-9)} ']'})} Suppress:(': ')} rest of line} Suppress:(end of line)}

plaso.parsers.text_plugins.ios_sysdiag_log module

Text parser plugin for iOS sysdiag log files.

class plaso.parsers.text_plugins.ios_sysdiag_log.IOSSysdiagLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

iOS sysdiagnose log event data.

body

body of the event line.

Type:

str

originating_call

call that created the entry.

Type:

str

process_identifier

process_identifier.

Type:

str

severity

severity of the message.

Type:

str

written_time

date and time the log entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:sysdiag_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.ios_sysdiag_log.IOSSysdiagLogTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for iOS mobile installation log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'iOS sysdiag log'

NAME = 'ios_sysdiag_log'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{{{{{Suppress:(W:(A-Za-z){3}) W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(0-9){4} Suppress:('[')} W:(0-9)} Suppress:(']')} Suppress:('<')} W:(0-9A-Za-z)} Suppress:('>')} Suppress:('(')} W:(0-9A-Za-z)} Suppress:(')')} Combine:({[{{(+-) '['} !W:(])} ']'] [!W:(:)]})} Suppress:(': ')} rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.macos_appfirewall module

Text plugin for MacOS Application firewall log (appfirewall.log) files.

class plaso.parsers.text_plugins.macos_appfirewall.MacOSAppFirewallLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

MacOS Application firewall log (appfirewall.log) file event data.

action

action.

Type:

str

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

agent

agent that save the log.

Type:

str

computer_name

name of the computer.

Type:

str

process_name

name of the entity that tried to do the action.

Type:

str

status

saved status action.

Type:

str

DATA_TYPE = 'macos:appfirewall_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.macos_appfirewall.MacOSAppFirewallTextPlugin

Bases: TextPlugin, DateLessLogFormatHelper

Text plugin for MacOS Application firewall log (appfirewall.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'MacOS Application firewall log (appfirewall.log) file'

ENCODING = 'utf-8'

NAME = 'mac_appfirewall_log'

VERIFICATION_GRAMMAR = {{{{{{{W:(A-Za-z){3} W:(0-9){1,2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(!-~)} Combine:({{W:(!-9;=-Z\-~) '['} W:(0-9){1,5} ']'})} '<Error>: Logging: creating /var/log/appfirewall.log'} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.macos_launchd module

Text parser plugin for Mac OS launchd log files.

class plaso.parsers.text_plugins.macos_launchd.MacOSLaunchdEventData(*args: Any, **kwargs: Any)

Bases: EventData

Mac OS launchd log event data.

body

content of the log event.

Type:

str

process_name

name of the process that created the record.

Type:

str

severity

severity of the message.

Type:

str

written_time

date and time the log entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'macos:launchd_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.macos_launchd.MacOSLaunchdLogTextPlugin

Bases: TextPlugin

Text parser plugin for Mac OS launchd log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Mac OS launchd log file'

NAME = 'macos_launchd_log'

VERIFICATION_GRAMMAR = {{{{Re:('(?P<date_time>[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6}) ') [Re:('[(](?P<process_name>[^)]+)[)] ')]} Re:('[<](?P<severity>[^>]+)[>]: ')} rest of line} Suppress:(end of line)}

plaso.parsers.text_plugins.macos_securityd module

Text parser plugin for MacOS security daemon (securityd) log files.

Also see:

https://opensource.apple.com/source/Security/Security-55471/sec/securityd

class plaso.parsers.text_plugins.macos_securityd.MacOSSecuritydLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

MacOS securityd log event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

caller

caller, consists of two hex numbers.

Type:

str

facility

facility.

Type:

str

level

priority level.

Type:

str

message

message.

Type:

str

security_api

name of securityd function.

Type:

str

sender

name of the sender.

Type:

str

sender_pid

process identifier of the sender.

Type:

int

DATA_TYPE = 'macos:securityd_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.macos_securityd.MacOSSecuritydLogTextPlugin

Bases: TextPlugin, DateLessLogFormatHelper

Text parser plugin for MacOS security daemon (securityd) log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'MacOS security daemon (securityd) log file'

ENCODING = 'utf-8'

NAME = 'mac_securityd'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{{{{Group:({{{W:(A-Za-z){3} W:(0-9){1,2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2}) !W:([)} Suppress:('[')} W:(0-9){1,5} Suppress:(']')} Suppress:('<')} !W:(>)} Suppress:('>')} Suppress:('[')} !W:({)} Suppress:('{')} [!W:(})]} Suppress:('}')} [!W:(]:)]} Suppress:(']:')} rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.macos_wifi module

Text parser plugin for MacOS Wi-Fi log (wifi.log) files.

class plaso.parsers.text_plugins.macos_wifi.MacOSWiFiLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

MacOS Wi-Fi log event data.

action

known Wi-Fi action, for example connected to an access point, configured, etc. If the action is not known, the value is the message of the log (text variable).

Type:

str

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

agent

name and identifier of process that generated the log message.

Type:

str

function

name of function that generated the log message.

Type:

str

text

log message.

Type:

str

DATA_TYPE = 'macos:wifi_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.macos_wifi.MacOSWiFiLogTextPlugin

Bases: TextPlugin, DateLessLogFormatHelper

Text parser plugin MacOS Wi-Fi log (wifi.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'MacOS Wi-Fi log (wifi.log) file'

ENCODING = 'utf-8'

NAME = 'mac_wifi'

VERIFICATION_GRAMMAR = {{{{{Group:({{{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3}) '***Starting Up***'} Suppress:(end of line)} ^ {{{{{Group:({{{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3}) {{'<' Combine:({'airportd' !W:(>)})} '>'}} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ':'} rest of line} Suppress:(end of line)}} ^ {{{Group:({{{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3}) ~{{{{{'<' Combine:({'airportd' !W:(>)})} '>'} airportdProcessDLILEvent | _doAutoJoin | _processSystemPSKAssoc} ':'}}} rest of line} Suppress:(end of line)}} ^ {{Group:({{{W:(A-Za-z){3} W:(0-9){1,2}} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2}) Combine:({{W:(!-~) W:(!-~)} 'logfile turned over'})} Suppress:(end of line)}}

plaso.parsers.text_plugins.popcontest module

Text parser plugin for popularity contest log files.

Information updated 20 january 2014. From Debian Package Popularity Contest Avery Pennarun <apenwarr@debian.org>

From ‘https://www.unix.com/man-page/Linux/8/popularity-contest’:

The popularity-contest command gathers information about Debian pack- ages installed on the system, and prints the name of the most recently used executable program in that package as well as its last-accessed time (atime) and last-attribute-changed time (ctime) to stdout.

When aggregated with the output of popularity-contest from many other systems, this information is valuable because it can be used to deter- mine which Debian packages are commonly installed, used, or installed and never used. This helps Debian maintainers make decisions such as which packages should be installed by default on new systems.

The resulting statistic is available from the project home page https://popcon.debian.org

Normally, popularity-contest is run from a cron(8) job, /etc/cron.daily/popularity-contest, which automatically submits the results to Debian package maintainers (only once a week) according to the settings in /etc/popularity-contest.conf and /usr/share/popularity- contest/default.conf.

From ‘https://popcon.ubuntu.com/README’:

The popularity-contest output looks like this:

POPULARITY-CONTEST-0 TIME:914183330 ID:b92a5fc1809d8a95a12eb3a3c8445 914183333 909868335 grep /bin/fgrep 914183333 909868280 findutils /usr/bin/find 914183330 909885698 dpkg-awk /usr/bin/dpkg-awk 914183330 909868577 gawk /usr/bin/gawk […more lines…] END-POPULARITY-CONTEST-0 TIME:914183335

The first and last lines allow you to put more than one set of popularity-contest results into a single file and then split them up easily later.

The rest of the lines are package entries, one line for each package installed on your system. They have the format:

<atime> <ctime> <package-name> <mru-program> <tag>

<package-name> is the name of the Debian package that contains <mru-program>. <mru-program> is the most recently used program, static library, or header (.h) file in the package.

<atime> and <ctime> are the access time and creation time of the <mru-program> on your disk, respectively, represented as the number of seconds since midnight GMT on January 1, 1970 (i.e. in Unix time_t format). Linux updates <atime> whenever you open the file; <ctime> was set when you first installed the package.

<tag> is determined by popularity-contest depending on <atime>, <ctime>, and the current date. <tag> can be RECENT-CTIME, OLD, or NOFILES.

RECENT-CTIME means that atime is very close to ctime; it’s impossible to tell whether the package was used recently or not, since <atime> is also updated when <ctime> is set. Normally, this happens because you have recently upgraded the package to a new version, resetting the <ctime>.

OLD means that the <atime> is more than a month ago; you haven’t used the package for more than a month.

NOFILES means that no files in the package seemed to be programs, so <atime>, <ctime>, and <mru-program> are invalid.’

REMARKS. The parser will generate events solely based on the <atime> field and not using <ctime>, to reduce the generation of (possibly many) useless events all with the same <ctime>. Indeed, that <ctime> will be probably get from file system and/or package management logs. The <ctime> will be reported in the log line.

class plaso.parsers.text_plugins.popcontest.PopularityContestEventData(*args: Any, **kwargs: Any)

Bases: EventData

Popularity Contest event data.

access_time

file entry last access date and time.

Type:

dfdatetime.DateTimeValues

change_time

file entry inode change (or metadata last modification) date and time.

Type:

dfdatetime.DateTimeValues

mru

recently used app/library from package.

Type:

str

package

installed packaged name, which the mru belongs to.

Type:

str

record_tag

popularity context tag.

Type:

str

DATA_TYPE = 'linux:popularity_contest_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.popcontest.PopularityContestSessionEventData(*args: Any, **kwargs: Any)

Bases: EventData

Popularity Contest session event data.

details

version and host architecture.

Type:

str

end_time

date and time the end of the session log entry was added.

Type:

dfdatetime.DateTimeValues

host_identifier

host identifier (UUID).

Type:

str

session

session number.

Type:

int

start_time

date and time the start of the session log entry was added.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'linux:popularity_contest_log:session'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.popcontest.PopularityContestTextPlugin

Bases: TextPlugin

Text parser plugin for popularity contest log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Popularity Contest log file'

ENCODING = 'utf-8'

NAME = 'popularity_contest'

VERIFICATION_GRAMMAR = {{{{{{Suppress:('POPULARITY-CONTEST-') W:(0-9)} Suppress:('TIME:')} W:(0-9)} Suppress:('ID:')} W:(0-9A-Za-z){32} rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.postgresql module

Text parser plugin for PostgreSQL application log files.

This is a multi-line log format that records internal database application logs as well as authentication attempts.

Also see:

https://www.postgresql.org/docs/current/runtime-config-logging.html

class plaso.parsers.text_plugins.postgresql.PostgreSQLEventData(*args: Any, **kwargs: Any)

Bases: EventData

PostgreSQL application log data.

log_line

log message.

Type:

str

pid

process identifier (PID).

Type:

int

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

severity

severity.

Type:

str

user

“user@database” string if present. Records the user account and database name that was authenticated or attempting to authenticate.

Type:

str

DATA_TYPE = 'postgresql:application_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.postgresql.PostgreSQLTextPlugin

Bases: TextPlugin

Text parser plugin for PostgreSQL application log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'PostgreSQL application log file'

ENCODING = 'utf-8'

NAME = 'postgresql'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{start of line W:(0-9){4}} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} [Suppress:('.') W:(0-9){3}]} W:(!-~)} {{{{Suppress:('[') {W:(0-9)}...} ['-']} [W:(0-9)]...} Suppress:(']')} [{W:(0-9A-Za-z) '@'} W:(0-9A-Za-z)]} W:(A-Z)} Suppress:(':')} SkipTo:({end of text | {{{{{{{start of line W:(0-9){4}} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} [Suppress:('.') W:(0-9){3}]} W:(!-~)}})} [Suppress:(end of line)]...}

plaso.parsers.text_plugins.powershell_transcript module

Text parser plugin for PowerShell transcript log files.

class plaso.parsers.text_plugins.powershell_transcript.PowerShellTranscriptLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

PowerShell transcript log event data.

build_version

Build number of current version.

Type:

str

clr_version

Common Language Runtime version.

Type:

str

commands

Commands that were executed.

Type:

str

compatible_versions

Compatible PowerShell versions.

Type:

str

configuration_name

Configuration name.

Type:

str

edition

PowerShell edition

Type:

str

host_application

Application that executed the commands.

Type:

str

machine

Hostname of machine.

Type:

str

process_identifier

Process identifier.

Type:

str

remoting_protocol_version

PowerShell remote management protocol version.

Type:

str

runas_user

User context of execution.

Type:

str

serialization_version

Serialization method version.

Type:

str

start_time

date and time the start of the PowerShell transcript.

Type:

dfdatetime.DateTimeValues

username

User that executed the commands.

Type:

str

version

PowerShell version.

Type:

str

ws_man_stack_version

WS-Management stack version

Type:

str

DATA_TYPE = 'powershell:transcript_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.powershell_transcript.PowerShellTranscriptLogTextPlugin

Bases: TextPlugin

Text parser plugin for PowerShell transcript log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'PowerShell transcript event'

ENCODING = 'utf-8'

NAME = 'powershell_transcript'

VERIFICATION_GRAMMAR = {{'**********************' Suppress:(end of line)} Re:('.*Windows PowerShell.*\\n')}

VERIFICATION_LITERALS = ['Windows PowerShell']

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.santa module

Text file parser plugin for Santa log files.

class plaso.parsers.text_plugins.santa.SantaExecutionEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa execution event data.

action

action recorded by Santa.

Type:

str

certificate_common_name

certificate common name.

Type:

str

certificate_hash

SHA256 hash for the certificate associated with the executed process.

Type:

str

decision

if the process was allowed or blocked.

Type:

str

gid

group identifier associated with the executed process.

Type:

str

group

group name associated with the executed process.

Type:

str

last_run_time

executable (binary) last run date and time.

Type:

dfdatetime.DateTimeValues

long_reason

further explanation behind Santa decision to execute or block a process.

Type:

str

mode

Santa execution mode, for example Monitor or Lockdown.

Type:

str

pid

process identifier for the process.

Type:

str

pid_version

the process identifier version extracted from the Mach audit token. The version can sed to identify process identifier rollovers.

Type:

str

ppid

parent process identifier for the executed process.

Type:

str

process_arguments

executed process with its arguments.

Type:

str

process_hash

SHA256 hash for the executed process.

Type:

str

process_path

process file path.

Type:

str

reason

reason behind Santa decision to execute or block a process.

Type:

str

uid

user identifier associated with the executed process.

Type:

str

user

user name associated with the executed process.

Type:

str

DATA_TYPE = 'santa:execution'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.santa.SantaFileSystemEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa file system event data.

action

event type recorded by Santa.

Type:

str

file_new_path

new file path and name for RENAME events.

Type:

str

file_path

file path and name for WRITE/DELETE events.

Type:

str

gid

group identifier associated with the executed process.

Type:

str

group

group name associated with the executed process.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

pid

process identifier for the process.

Type:

str

pid_version

the process identifier version extracted from the Mach audit token. The version can be used to identify process identifier rollovers.

Type:

str

ppid

parent process identifier for the executed process.

Type:

str

process_path

process file path.

Type:

str

process

process name.

Type:

str

uid

user identifier associated with the executed process.

Type:

str

user

user name associated with the executed process.

Type:

str

DATA_TYPE = 'santa:file_system_event'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.santa.SantaMountEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa mount event data.

action

event type recorded by Santa.

Type:

str

appearance_time

date and time the disk appeared.

Type:

dfdatetime.DateTimeValues

bsd_name

disk BSD name.

Type:

str

bus

device protocol.

Type:

str

dmg_path

DMG file path.

Type:

str

fs

disk volume kind.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

model

disk model.

Type:

str

mount

disk mount point.

Type:

str

serial

disk serial.

Type:

str

volume

disk volume name.

Type:

str

DATA_TYPE = 'santa:diskmount'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.santa.SantaProcessExitEventData(*args: Any, **kwargs: Any)

Bases: EventData

Santa process exit event data.

action

action recorded by Santa.

Type:

str

exit_time

process exit date and time.

Type:

dfdatetime.DateTimeValues

gid

group identifier associated with the executed process.

Type:

str

pid

process identifier for the process.

Type:

str

pid_version

the process identifier version extracted from the Mach audit token. The version can be used to identify process identifier rollovers.

Type:

str

ppid

parent process identifier for the executed process.

Type:

str

uid

user identifier associated with the executed process.

Type:

str

DATA_TYPE = 'santa:process_exit'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.santa.SantaTextPlugin

Bases: TextPlugin

Text file parser plugin for Santa log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Santa log (santa.log) file'

ENCODING = 'utf-8'

NAME = 'santa'

VERIFICATION_GRAMMAR = {{{{{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'DISKAPPEAR'} {Suppress:('|mount=') [!W:(| )]} {Suppress:('|volume=') [!W:(| )]} {Suppress:('|bsdname=') [!W:(| )]} {Suppress:('|fs=') [!W:(| )]} {Suppress:('|model=') [!W:(| )]} {Suppress:('|serial=') [!W:(| )]} {Suppress:('|bus=') [!W:(| )]} {Suppress:('|dmgpath=') [!W:(| )]} {Suppress:('|appearance=') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')} Suppress:(end of line)} ^ {{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'DISKDISAPPEAR'} {Suppress:('|mount=') [!W:(| )]} {Suppress:('|volume=') [!W:(| )]} {Suppress:('|bsdname=') [!W:(| )]} Suppress:(end of line)}} ^ {{{{{{{{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'EXEC'} {Suppress:('|decision=') [!W:(| )]} {Suppress:('|reason=') [!W:(| )]} [Suppress:('|explain=') [!W:(| )]]} {Suppress:('|sha256=') [!W:(| )]} [Suppress:('|cert_sha256=') [!W:(| )]]} [Suppress:('|cert_cn=') [!W:(| )]]} [Suppress:('|quarantine_url=') [!W:(| )]]} {Suppress:('|pid=') [!W:(| )]} [Suppress:('|pidversion=') [!W:(| )]]} {Suppress:('|ppid=') [!W:(| )]} {Suppress:('|uid=') [!W:(| )]} {Suppress:('|user=') [!W:(| )]} {Suppress:('|gid=') [!W:(| )]} {Suppress:('|group=') [!W:(| )]} {Suppress:('|mode=') [!W:(| )]} {Suppress:('|path=') [!W:(| )]} [Suppress:('|args=') [!W:(| )]]} Suppress:(end of line)}} ^ {{{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} {{{'DELETE' ^ 'LINK'} ^ 'RENAME'} ^ 'WRITE'} {Suppress:('|path=') [!W:(| )]} [Suppress:('|newpath=') [!W:(| )]]} {Suppress:('|pid=') [!W:(| )]} [Suppress:('|pidversion=') [!W:(| )]]} {Suppress:('|ppid=') [!W:(| )]} {Suppress:('|process=') [!W:(| )]} {Suppress:('|processpath=') [!W:(| )]} {Suppress:('|uid=') [!W:(| )]} {Suppress:('|user=') [!W:(| )]} {Suppress:('|gid=') [!W:(| )]} {Suppress:('|group=') [!W:(| )]} Suppress:(end of line)}} ^ {{{{{{Suppress:('[') {{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} Suppress:('Z')}} Suppress:(']')} Suppress:('I santad:')} Suppress:('action=')} 'EXIT'} {Suppress:('|pid=') [!W:(| )]} {Suppress:('|pidversion=') [!W:(| )]} {Suppress:('|ppid=') [!W:(| )]} {Suppress:('|uid=') [!W:(| )]} {Suppress:('|gid=') [!W:(| )]} Suppress:(end of line)}}

plaso.parsers.text_plugins.sccm module

Text parser plugin for System Center Configuration Manager (SCCM) logs.

class plaso.parsers.text_plugins.sccm.SCCMLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SCCM log event data.

component

component.

Type:

str

text

text.

Type:

str

written_time

date and time the entry was written.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'sccm_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.sccm.SCCMTextPlugin

Bases: TextPlugin

Text parser plugin for System Center Configuration Manager (SCCM) logs.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'System Center Configuration Manager (SCCM) client log file'

ENCODING = 'utf-8'

NAME = 'sccm'

VERIFICATION_GRAMMAR = {Re:('.*<!\\[LOG\\[.*]LOG]!><') {{{{{{Suppress:('time="') W:(0-9){1,2}} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} Re:('\\d{3,7}')} [Group:({(+-) W:(0-9){2,3}})]} {{{Suppress:('" date="') W:(0-9){1,2}} Suppress:('-')} W:(0-9){1,2} Suppress:('-')} W:(0-9){4}} {Suppress:('" component="') W:(0-9A-Za-z)}

VERIFICATION_LITERALS = ['<![LOG[', ']LOG]!><time="']

plaso.parsers.text_plugins.selinux module

Text parser plugin for SELinux audit log (audit.log) files.

audit.log log line example:

type=AVC msg=audit(1105758604.519:420): avc: denied { getattr } for pid=5962 comm=”httpd” path=”/home/auser/public_html” dev=sdb2 ino=921135

Where msg=audit(1105758604.519:420) contains the number of seconds since January 1, 1970 00:00:00 UTC and the number of milliseconds after the dot for example: “seconds: 1105758604, milliseconds: 519”.

The number after the timestamp (420 in the example) is a ‘serial number’ that can be used to correlate multiple logs generated from the same event.

class plaso.parsers.text_plugins.selinux.SELinuxLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SELinux log event data.

audit_type

audit type.

Type:

str

body

body of the log line.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

pid

process identifier (PID) that created the SELinux log line.

Type:

int

DATA_TYPE = 'selinux:line'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.selinux.SELinuxTextPlugin

Bases: TextPlugin

Text parser plugin for SELinux audit log (audit.log) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'SELinux audit log (audit.log) file'

NAME = 'selinux'

VERIFICATION_GRAMMAR = {{{{{{{{Suppress:('type=') {W:(A-Z_) ^ Re:('UNKNOWN\\[[0-9]+\\]')}} Suppress:('msg=audit(')} Group:({{W:(0-9) Suppress:('.')} W:(0-9)})} Suppress:(':')} W:(0-9)} Suppress:('):')} rest of line} Suppress:(end of line)}

plaso.parsers.text_plugins.setupapi module

Text parser plugin for Windows SetupAPI log files.

Also see:

https://learn.microsoft.com/en-us/windows-hardware/drivers/install/setupapi-text-logs

class plaso.parsers.text_plugins.setupapi.SetupAPILogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SetupAPI log event data.

end_time

date and time the end of the log entry was added.

Type:

dfdatetime.DateTimeValues

entry_type

log entry type, for examaple “Device Install - PCIVEN_104C&DEV_8019&SUBSYS_8010104C&REV_003&61aaa01&0&38” or “Sysprep Respecialize - {804b345a-ffd7-854c-a1b5-ca9598907846}”.

Type:

str

exit_status

the exit status of the logged operation.

Type:

str

start_time

date and time the start of the log entry was added.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'setupapi:log:line'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.setupapi.SetupAPILogTextPlugin

Bases: TextPlugin

Text parser plugin for Windows SetupAPI log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Windows SetupAPI log file'

NAME = 'setupapi'

VERIFICATION_GRAMMAR = {'[Device Install Log]' Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.skydrivelog module

Text parser plugins for SkyDrive version 1 and 2 log files.

class plaso.parsers.text_plugins.skydrivelog.SkyDriveLog1TextPlugin

Bases: TextPlugin

Text parser plugin for SkyDrive version 1 log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'OneDrive (or SkyDrive) version 1 log file'

ENCODING = 'utf-8'

NAME = 'skydrive_log_v1'

VERIFICATION_GRAMMAR = {{{{{Group:({{{{{W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){4} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:((,.))} W:(0-9){3}) Combine:({{{{!W:(:) ':'} W:(0-9)} '!'} W:(!-~)})} quoted string, starting with ( ending with )} Suppress:(':')} rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

class plaso.parsers.text_plugins.skydrivelog.SkyDriveLog2TextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for SkyDrive version 2 log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'OneDrive (or SkyDrive) version 2 log file'

ENCODING = 'utf-8'

NAME = 'skydrive_log_v2'

VERIFICATION_GRAMMAR = {{{{{{{{Suppress:('######') 'Logging started.'} 'Version='} W:(.0-9)} Suppress:('StartSystemTime:')} Group:({{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} W:(0-9){2} W:(0-9){2} Suppress:('.')} W:(0-9){3})} 'StartLocalTime:'} rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

class plaso.parsers.text_plugins.skydrivelog.SkyDriveLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

SkyDrive log event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

detail

detail.

Type:

str

log_level

log level.

Type:

str

module

name of the module that generated the log message.

Type:

str

source_code

source file and line number that generated the log message.

Type:

str

DATA_TYPE = 'skydrive:log:entry'

__init__()

Initializes event data.

plaso.parsers.text_plugins.snort_fastlog module

Text parser plugin for Snort3/Suricata fast-log alert log files.

Snort3/Suricata fast.log format is a single line log format as shown below. The following variants are known:

Snort3:

Month/Day-Hour:Minute:Second:FractionOfSeconds [**] [sid] “string” [**] [Classification: string] [Priority : int] {protocol} SOURCE_IP:SOURCE_PORT -> DESTINATION_IP:DESTINATION_PORT

Suricata:

Year/Month/Day-Hour:Minute:Second:FractionOfSeconds [**] [sid] string [**] [Classification: string] [Priority : int] {protocol} SOURCE_IP:SOURCE_PORT -> DESTINATION_IP:DESTINATION_PORT

Also see:

https://docs.suricata.io/en/suricata-6.0.0/configuration/suricata-yaml.html#line-based-alerts-log-fast-log

class plaso.parsers.text_plugins.snort_fastlog.SnortFastAlertEventData(*args: Any, **kwargs: Any)

Bases: EventData

Snort3/Suricata fast-log alert event data.

classification

classification of the alert.

Type:

str

destination_ip

destination IP-address.

Type:

str

destination_port

destination TCP/UDP port number.

Type:

int

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

message

message associated with the alert.

Type:

str

priority

priorty, ranging from 1 (high) to 4 (very low).

Type:

int

rule_identifier

identifier of the Snort3/Suricata rule that generated the alert.

Type:

str

source_ip

source IP-address.

Type:

str

source_port

source TCP/UDP port number.

Type:

int

DATA_TYPE = 'snort:fastlog:alert'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.snort_fastlog.SnortFastLogTextPlugin

Bases: TextPlugin, DateLessLogFormatHelper

Text parser plugin for Snort3/Suricata fast-log alert log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Snort3/Suricata fast-log alert log (fast.log) file'

NAME = 'snort_fastlog'

VERIFICATION_GRAMMAR = {{{{{{{{{{{{{W:(0-9){2} Suppress:('/')} {W:(0-9){2} Suppress:('/')} W:(0-9){2} | {W:(0-9){2} Suppress:('/')} W:(0-9){2}} Suppress:('-')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} Suppress:('[**]')} {{Suppress:('[') Combine:({{{{W:(0-9) ':'} W:(0-9)} ':'} W:(0-9)})} Suppress:(']')} {{[Suppress:('"')] Combine:({{W:(!#-Z\-~) | <SP>}}...)} [Suppress:('"')]} Suppress:('[**]')} [{Suppress:('[Classification:') Re:('[^]]*')} Suppress:(']')]} [{Suppress:('[Priority:') W:(0-9)} Suppress:(']')]} Suppress:('{')} W:(0-9A-Za-z)} Suppress:('}')} {{IPv4 address | IPv6 address} ^ {{{IPv4 address | IPv6 address} Suppress:(':')} W:(0-9)} Suppress:('->')} {{IPv4 address | IPv6 address} ^ {{{IPv4 address | IPv6 address} Suppress:(':')} W:(0-9)} Suppress:(end of line)}

plaso.parsers.text_plugins.sophos_av module

Text parser plugin for Sophos anti-virus logs (SAV.txt) files.

class plaso.parsers.text_plugins.sophos_av.SophosAVLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Sophos anti-virus log event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

text

Sophos anti-virus log message.

Type:

str

DATA_TYPE = 'sophos:av:log'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.sophos_av.SophosAVLogTextPlugin

Bases: TextPlugin

Text parser plugin for Sophos anti-virus logs (SAV.txt) files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Sophos anti-virus log file (SAV.txt) file'

ENCODING = 'utf-16-le'

NAME = 'sophos_av'

VERIFICATION_GRAMMAR = {{Group:({W:(0-9){4} W:(0-9){2}} W:(0-9){2} W:(0-9){2} W:(0-9){2} W:(0-9){2}) rest of line} Suppress:(end of line)}

plaso.parsers.text_plugins.syslog module

Text parser plugin for syslog log files.

Also see:

https://www.rsyslog.com/doc/configuration/templates.html

class plaso.parsers.text_plugins.syslog.BaseSyslogTextPlugin

Bases: TextPlugin

Shared functionality for syslog log file text parser plugins.

class plaso.parsers.text_plugins.syslog.SyslogCommentEventData(*args: Any, **kwargs: Any)

Bases: EventData

Syslog comment event data.

body

message body.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'syslog:comment'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.syslog.SyslogCronTaskRunEventData(*args: Any, **kwargs: Any)

Bases: SyslogLineEventData

Syslog cron task run event data.

command

command executed.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

username

name of user the command was executed.

Type:

str

DATA_TYPE = 'syslog:cron:task_run'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.syslog.SyslogLineEventData(*args: Any, **kwargs: Any)

Bases: EventData

Syslog line event data.

body

message body.

Type:

str

hostname

hostname of the reporter.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

pid

process identifier of the reporter.

Type:

str

reporter

reporter.

Type:

str

severity

severity.

Type:

str

DATA_TYPE = 'syslog:line'

__init__(data_type='syslog:line')

Initializes an event data attribute container.

Parameters:

data_type (Optional[str]) – event data type indicator.

class plaso.parsers.text_plugins.syslog.SyslogSSHEventData(*args: Any, **kwargs: Any)

Bases: SyslogLineEventData

SSH event data.

authentication_method

authentication method.

Type:

str

fingerprint

fingerprint.

Type:

str

ip_address

IP address.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

port

port.

Type:

str

protocol

protocol.

Type:

str

username

name of user the command was executed.

Type:

str

__init__()

Initializes event data.

class plaso.parsers.text_plugins.syslog.SyslogSSHFailedConnectionEventData(*args: Any, **kwargs: Any)

Bases: SyslogSSHEventData

SSH failed connection event data.

DATA_TYPE = 'syslog:ssh:failed_connection'

class plaso.parsers.text_plugins.syslog.SyslogSSHLoginEventData(*args: Any, **kwargs: Any)

Bases: SyslogSSHEventData

SSH login event data.

DATA_TYPE = 'syslog:ssh:login'

class plaso.parsers.text_plugins.syslog.SyslogSSHOpenedConnectionEventData(*args: Any, **kwargs: Any)

Bases: SyslogSSHEventData

SSH opened connection event data.

DATA_TYPE = 'syslog:ssh:opened_connection'

class plaso.parsers.text_plugins.syslog.SyslogTextPlugin

Bases: BaseSyslogTextPlugin

Text parser plugin for syslog log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'System log (syslog) file'

ENCODING = 'utf-8'

NAME = 'syslog'

VERIFICATION_GRAMMAR = {{{{{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} (+-)} W:(0-9){2} [Suppress:(':') W:(0-9){2}]} {{{{EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG W:(!-9;=-Z\-~)} [Suppress:(':')]} [{Suppress:('[') W:(0-9){1,5}} Suppress:(']')]} ^ {{{W:(!-~) W:(!-9;=-Z\-~)} [{Suppress:('[') W:(0-9){1,5}} Suppress:(']')]} [{Suppress:('<') W:(!-9;-=?-~)} Suppress:('>')]} [Suppress:(':')]} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s)|($|\\n<\\d{1,3}>1\\s\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} Suppress:(end of line)} ^ {{{{{{{{Suppress:('<') W:(0-9){1,2}} Suppress:('>')} Suppress:((0-9))} {{{{{{{{W:(0-9){4} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('T')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){6} (+-)} W:(0-9){2} [Suppress:(':') W:(0-9){2}]} W:(!-~)} W:(!-9;=-Z\-~)} {Suppress:('-') ^ W:(0-9){1,5} W:(!-~)} W:(!-~)} Re:('.*?(?=($|\\n\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})|($|\\n\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s)|($|\\n<\\d{1,3}>1\\s\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{6}[\\+|-]\\d{2}:\\d{2}\\s))')} Suppress:(end of line)}}

class plaso.parsers.text_plugins.syslog.TraditionalSyslogTextPlugin

Bases: BaseSyslogTextPlugin, DateLessLogFormatHelper

Text parser plugin for traditional syslog log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Traditional system log (syslog) file'

ENCODING = 'utf-8'

NAME = 'syslog_traditional'

VERIFICATION_GRAMMAR = Re:('(?P<date_time>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ( [1-9]|[1-9][0-9]) [0-9]{2}:[0-9]{2}:[0-9]{2}) \\S+ .*\\n')

plaso.parsers.text_plugins.teamviewer module

Text parser plugins for TeamViewer log files.

class plaso.parsers.text_plugins.teamviewer.TeamViewerApplicationEventData(*args: Any, **kwargs: Any)

Bases: EventData

TeamViewer application log event data.

body

body of the log entry.

Type:

str

process_identifier

process identifier that generated the log entry.

Type:

int

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'teamviewer:application_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.teamviewer.TeamViewerApplicationLogTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for TeamViewer application log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

DATA_FORMAT = 'TeamViewer application log file parser.'

NAME = 'teamviewer_application_log'

VERIFICATION_GRAMMAR = {{{{{{{{{{W:(0-9){4} Suppress:('/')} W:(0-9){2} Suppress:('/')} W:(0-9){2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:('.')} W:(0-9){3} W:(0-9)} Suppress:(W:(0-9))} Suppress:(W:(!0-9A-Za-z))} rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

class plaso.parsers.text_plugins.teamviewer.TeamViewerConnectionsIncomingEventData(*args: Any, **kwargs: Any)

Bases: EventData

TeamViewer incoming connection log event data.

activity_type

Type of the activity, such as RemoteSupport or FileTransfer.

Type:

str

connection_identifier

identifier of the connection, contains an UUID.

Type:

str

display_name

The display name of the incoming connection source. Usually the computer name or the TeamViewer user name.

Type:

string

end_time

connection end time in UTC.

Type:

dfdatetime.DateTimeValues

local_account

The local user account associated with this activity.

Type:

str

source_identifier

TeamViewer identifier of the incoming connection.

Type:

int

start_time

connection start time in UTC.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'teamviewer:connections_incoming:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.teamviewer.TeamViewerConnectionsIncomingLogTextPlugin

Bases: TextPlugin

Text parser plugin for TeamViewer connections_incoming.txt .

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

DATA_FORMAT = 'TeamViewer connections_incoming.txt log file'

NAME = 'teamviewer_connections_incoming'

VERIFICATION_GRAMMAR = {{{{{W:(0-9){8,11} W:(-.0-9A-Z_a-z)} {{W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){4} {{W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} {{W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){4} {{W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(-.0-9A-Z_a-z)} W:(0-9A-Za-z)} W:(-0-9A-Fa-f{})} Suppress:(end of line)}

class plaso.parsers.text_plugins.teamviewer.TeamViewerConnectionsOutgoingEventData(*args: Any, **kwargs: Any)

Bases: EventData

TeamViewer outgoing connection log event data.

activity_type

Type of the activity, such as RemoteSupport or FileTransfer.

Type:

str

connection_identifier

identifier of the connection, contains a UUID.

Type:

str

destination_identifier

TeamViewer identifier of the destination.

Type:

int

end_time

connection end time in UTC.

Type:

dfdatetime.DateTimeValues

local_account

The local user account associated with this activity.

Type:

str

start_time

connection start time in UTC.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'teamviewer:connections_outgoing:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.teamviewer.TeamViewerConnectionsOutgoingLogTextPlugin

Bases: TextPlugin

Text parser plugin for TeamViewer connections.txt log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct parser, False otherwise.

Return type:

bool

DATA_FORMAT = 'TeamViewer connections.txt log file'

NAME = 'teamviewer_connections_outgoing'

VERIFICATION_GRAMMAR = {{{{{W:(0-9){8,11} {{W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){4} {{W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2}} {{W:(0-9){2} Suppress:('-')} W:(0-9){2} Suppress:('-')} W:(0-9){4} {{W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(-.0-9A-Z_a-z)} W:(0-9A-Za-z)} W:(-0-9A-Fa-f{})} Suppress:(end of line)}

plaso.parsers.text_plugins.viminfo module

Text parser plugin for viminfo files.

class plaso.parsers.text_plugins.viminfo.VimInfoEventData(*args: Any, **kwargs: Any)

Bases: EventData

VimInfo event data.

filename

the name of the file that was opened/edited.

Type:

str

history_type

the Vim history type.

Type:

str

history_value

the Vim history value.

Type:

str

item_number

the item number of the history type.

Type:

int

recorded_time

date and time the log entry was recorded.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'viminfo:history'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.viminfo.VimInfoTextPlugin

Bases: TextPlugin

Parses events from Viminfo files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Viminfo file'

ENCODING = 'utf-8'

NAME = 'viminfo'

VERIFICATION_GRAMMAR = {{'# This viminfo file was generated by Vim ' W:(.0-9)} Suppress:(end of line)} {{'# You may edit it if ' {"you're careful!" ^ 'you are careful!'}} Suppress:(end of line)} {'# Viminfo version' Suppress:(end of line)} {{'|' W:(,0-9)} Suppress:(end of line)} {"# Value of 'encoding' when this file was written" Suppress:(end of line)} {{{'*' 'encoding='} W:(-0-9A-Za-z)} Suppress:(end of line)}

plaso.parsers.text_plugins.vsftpd module

Text parser plugin for vsftpd log files.

class plaso.parsers.text_plugins.vsftpd.VsftpdLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

Vsftpd log event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

text

vsftpd log message.

Type:

str

DATA_TYPE = 'vsftpd:log'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.vsftpd.VsftpdLogTextPlugin

Bases: TextPlugin

Text parser plugin for vsftpd log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'vsftpd log file'

NAME = 'vsftpd'

VERIFICATION_GRAMMAR = {{Group:({{{W:(A-Za-z){3} W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(0-9){4}) rest of line} Suppress:(end of line)}

plaso.parsers.text_plugins.winfirewall module

Text parser plugin for Windows Firewall Log files.

class plaso.parsers.text_plugins.winfirewall.WinFirewallEventData(*args: Any, **kwargs: Any)

Bases: EventData

Windows Firewall event data.

action

action taken.

Type:

str

destination_ip

destination IP address.

Type:

str

destination_port

TCP or UDP destination port.

Type:

int

icmp_code

ICMP code.

Type:

int

icmp_type

ICMP type.

Type:

int

information

additional information.

Type:

str

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

packet_size

packet size.

Type:

int

path

direction of the communication, which can be: SEND, RECEIVE, FORWARD, and UNKNOWN.

Type:

str

protocol

IP protocol.

Type:

str

source_ip

source IP address.

Type:

str

source_port

TCP or UDP source port.

Type:

int

tcp_ack

TCP acknowledgement number.

Type:

int

tcp_flags

TCP flags.

Type:

str

tcp_sequence_number

TCP sequence number.

Type:

int

tcp_window_size

TCP window size.

Type:

int

DATA_TYPE = 'windows:firewall_log:entry'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.winfirewall.WinFirewallLogTextPlugin

Bases: TextPlugin

Text parser plugin for Windows Firewall Log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'Windows Firewall log file'

ENCODING = None

NAME = 'winfirewall'

VERIFICATION_GRAMMAR = {{[{Re:('#(Fields|Time Format|Version): .*') Suppress:(end of line)}]... Re:('#Software: Microsoft Windows Firewall')} Suppress:(end of line)}

VERIFICATION_LITERALS = ['#Software: Microsoft Windows Firewall ']

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.xchatlog module

Text parser plugin for XChat log files.

Information updated 24 July 2013.

The parser applies to XChat log files. Despite their apparent simplicity it’s not straightforward to manage every possible case. XChat tool allows users to specify how timestamp will be encoded (using the strftime function), by letting them specify additional separators. This parser will accept only the simplest default English form of an XChat log file, as the following:

**** BEGIN LOGGING AT Mon Dec 31 21:11:55 2001
dec 31 21:11:55 --> You are now talking on #gugle
dec 31 21:11:55 --- Topic for #gugle is plaso, nobody knows what it means
dec 31 21:11:55 Topic for #gugle set by Kristinn
dec 31 21:11:55 --- Joachim gives voice to fpi
dec 31 21:11:55 *   XChat here
dec 31 21:11:58 <fpi> ola plas-ing guys!
dec 31 21:12:00 <Kristinn> ftw!

It could be managed the missing month/day case too, by extracting the month/day information from the header. But the parser logic would become intricate, since it would need to manage day transition, chat lines crossing the midnight. From there derives the last day of the year bug, since the parser will not manage that transition.

Moreover the strftime is locale-dependent, so month names, footer and headers can change, even inside the same log file. Being said that, the following will be the main logic used to parse the log files (note that the first header must be ‘**** BEGIN …’ otherwise file will be skipped).

1) Check for ‘****’ 1.1) If ‘BEGIN LOGGING AT’ (English) 1.1.1) Extract the YEAR 1.1.2) Generate new event start logging 1.1.3) set parsing = True 1.2) If ‘END LOGGING’ 1.2.1) If parsing, set parsing=False 1.2.2) If not parsing, log debug 1.2.3) Generate new event end logging 1.3) If not BEGIN|END we are facing a different language and we don’t now which language! If parsing is True, set parsing=False and log debug 2) Not ‘****’ so we are parsing a line 2.1) If parsing = True, try to parse line and generate event 2.2) If parsing = False, skip until next good header is found

Also see:

http://xchat.org

class plaso.parsers.text_plugins.xchatlog.XChatLogEventData(*args: Any, **kwargs: Any)

Bases: EventData

XChat Log event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

nickname

nickname.

Type:

str

text

text sent by nickname or other text (server, messages, etc.).

Type:

str

DATA_TYPE = 'xchat:log:line'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.xchatlog.XChatLogTextPlugin

Bases: TextPlugin, DateLessLogFormatHelper

Text parser plugin for XChat log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'XChat log file'

ENCODING = 'utf-8'

NAME = 'xchatlog'

VERIFICATION_GRAMMAR = {{{Suppress:('****') Group:({{W:(!-~) W:(!-~)} W:(!-~)})} Group:({{{Group:({{{{{{'Sun' | 'Mon'} | 'Tue'} | 'Wed'} | 'Thu'} | 'Fri'} | 'Sat'}) W:(A-Za-z){3}} W:(0-9){1,2} W:(0-9){2} Suppress:(':')} W:(0-9){2} Suppress:(':')} W:(0-9){2} W:(0-9){4})} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

plaso.parsers.text_plugins.xchatscrollback module

Text parser plugin for XChat scrollback log files.

Information updated 06 September 2013.

Besides the logging capability, the XChat IRC client has the option to record the text for opened tabs. So, when rejoining a particular channel and/or a particular conversation, XChat will display the last messages exchanged. This artifact could be present, if not disabled, even if normal logging is disabled.

From the XChat FAQ (http://xchat.org/faq):

Q: ‘How do I keep text from previous sessions from being displayed when I join a channel?’ R: ‘Starting in XChat 2.8.4, XChat implemented the Scrollback feature which displays text from the last time you had a particular tab open. To disable this setting for all channels, Go to Settings -> Preferences -> Logging and uncheck Display scrollback from previous session. In XChat 2.8.6, XChat implemented both Per Channel Logging, and Per Channel Scrollbacks. If you are on 2.8.6 or newer, you can disable loading scrollback for just one particular tab name by right clicking on the tab name, selecting Settings, and then unchecking Reload scrollback’

The log file format differs from logging format, but it’s quite simple ‘T 1232315916 Python interface unloaded’ <T><space><decimal timestamp><space><text><n>

The time reported in the log is the number of seconds since January 1, 1970 00:00:00 UTC (from source code, time(0)). The <text> part could contain some ‘decorators’ (bold, underline, colors indication, etc.), so the parser should strip those control fields.

Also see:

http://xchat.org

class plaso.parsers.text_plugins.xchatscrollback.XChatScrollbackEventData(*args: Any, **kwargs: Any)

Bases: EventData

XChat Scrollback line event data.

added_time

date and time the log entry was added.

Type:

dfdatetime.DateTimeValues

nickname

nickname.

Type:

str

text

text sent by nickname service messages.

Type:

str

DATA_TYPE = 'xchat:scrollback:line'

__init__()

Initializes event data.

class plaso.parsers.text_plugins.xchatscrollback.XChatScrollbackLogTextPlugin

Bases: TextPlugin

Text parser plugin for XChat scrollback log files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the plugin.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'XChat scrollback log file'

ENCODING = 'utf-8'

NAME = 'xchatscrollback'

VERIFICATION_GRAMMAR = Re:('T (?P<timestamp>\\d{1,10}) (?P<raw_text>.*)\\n')

plaso.parsers.text_plugins.zsh_extended_history module

Text parser plugin for ZSH extended_history files.

References

https://zsh.sourceforge.io/Doc/Release/Options.html#index-EXTENDEDHISTORY

class plaso.parsers.text_plugins.zsh_extended_history.ZshExtendedHistoryTextPlugin

Bases: TextPluginWithLineContinuation

Text parser plugin for ZSH extended history files.

CheckRequiredFormat(parser_mediator, text_reader)

Check if the log record has the minimal structure required by the parser.

Parameters:

• parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

• text_reader (EncodedTextReader) – text reader.

Returns:

True if this is the correct plugin, False otherwise.

Return type:

bool

DATA_FORMAT = 'ZSH extended history file'

ENCODING = 'utf-8'

NAME = 'zsh_extended_history'

VERIFICATION_GRAMMAR = {{Re:(': [0-9]+:[0-9]+;\\S') rest of line} Suppress:(end of line)}

__init__()

Initializes a text parser plugin.

class plaso.parsers.text_plugins.zsh_extended_history.ZshHistoryEventData(*args: Any, **kwargs: Any)

Bases: EventData

ZSH history event data.

command

command that was run.

Type:

str

elapsed_seconds

number of seconds that the command took to execute.

Type:

int

last_written_time

entry last written date and time.

Type:

dfdatetime.DateTimeValues

DATA_TYPE = 'shell:zsh:history'

__init__()

Initializes event data.

Module contents

Imports for the text parser.