plaso.output package¶
Submodules¶
plaso.output.dynamic module¶
Contains a formatter for a dynamic output module for plaso.
-
class
plaso.output.dynamic.
DynamicFieldsHelper
(output_mediator)[source]¶ Bases:
object
Helper for outputting a dynamic selection of fields.
-
GetFormattedField
(event, event_data, event_tag, field_name)[source]¶ Formats the specified field.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
field_name (str) – name of the field.
- Returns
value of the field.
- Return type
str
-
-
class
plaso.output.dynamic.
DynamicOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.LinearOutputModule
Dynamic selection of fields for a separated value output format.
-
DESCRIPTION
= 'Dynamic selection of fields for a separated value output format.'¶
-
NAME
= 'dynamic'¶
-
SetFieldDelimiter
(field_delimiter)[source]¶ Sets the field delimiter.
- Parameters
field_delimiter (str) – field delimiter.
-
SetFields
(fields)[source]¶ Sets the fields to output.
- Parameters
fields (list[str]) – names of the fields to output.
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
plaso.output.elastic module¶
An output module that saves events to Elasticsearch.
-
class
plaso.output.elastic.
ElasticsearchOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.shared_elastic.SharedElasticsearchOutputModule
Output module for Elasticsearch.
-
DESCRIPTION
= 'Saves the events into an Elasticsearch database.'¶
-
NAME
= 'elastic'¶
-
SetRawFields
(raw_fields)[source]¶ Set raw (non-analyzed) fields.
This is used for sorting and aggregations in Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/guide/current/ multi-fields.html
- Parameters
raw_fields (bool) – True if raw (non-analyzed) fields should be added.
-
plaso.output.interface module¶
This file contains the output module interface classes.
-
class
plaso.output.interface.
LinearOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.OutputModule
Linear output module.
-
SetOutputWriter
(output_writer)[source]¶ Set the output writer.
- Parameters
output_writer (CLIOutputWriter) – output writer.
-
-
class
plaso.output.interface.
OutputModule
(output_mediator)[source]¶ Bases:
object
Output module interface.
-
DESCRIPTION
= ''¶
-
GetMissingArguments
()[source]¶ Retrieves arguments required by the module that have not been specified.
- Returns
- names of argument that are required by the module and have
not been specified.
- Return type
list[str]
-
NAME
= ''¶
-
WriteEvent
(event, event_data, event_tag)[source]¶ Writes the event to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
WriteEventEnd
()[source]¶ Writes the end of an event to the output.
Can be used for post-processing or output after an individual event has been written, such as writing closing XML tags, etc.
-
WriteEventMACBGroup
(event_macb_group)[source]¶ Writes an event MACB group to the output.
An event MACB group is a group of events that have the same timestamp and event data (attributes and values), where the timestamp description (or usage) is one or more of MACB (modification, access, change, birth).
This function is called if the psort engine detected an event MACB group so that the output module, if supported, can represent the group as such. If not overridden this function will output every event individually.
- Parameters
event_macb_group (list[tuple[EventObject, EventData, EventTag]]) – group of events with identical timestamps, attributes and values.
-
WriteEventStart
()[source]¶ Writes the start of an event to the output.
Can be used for pre-processing or output before an individual event has been written, such as writing opening XML tags, etc.
Writes the footer to the output.
Can be used for post-processing or output after the last event is written, such as writing a file footer.
-
plaso.output.json_line module¶
Output module that saves data into a JSON line format.
JSON line format is a single JSON entry or event per line instead of grouping all the output into a single JSON entity.
-
class
plaso.output.json_line.
JSONLineOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.LinearOutputModule
Output module for the JSON line format.
-
DESCRIPTION
= 'Saves the events into a JSON line format.'¶
-
NAME
= 'json_line'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
plaso.output.json_out module¶
Output module that saves data into a JSON format.
-
class
plaso.output.json_out.
JSONOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.LinearOutputModule
Output module for the JSON format.
-
DESCRIPTION
= 'Saves the events into a JSON format.'¶
-
NAME
= 'json'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
Writes the footer to the output.
-
plaso.output.kml module¶
An output module that writes event with geography data to a KML XML file.
The Keyhole Markup Language (KML) is an XML notation for expressing geographic annotation and visualization within Internet-based, two-dimensional maps and three-dimensional Earth browsers.
-
class
plaso.output.kml.
KMLOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.LinearOutputModule
Output module for a Keyhole Markup Language (KML) XML file.
-
DESCRIPTION
= 'Saves events with geography data into a KML format.'¶
-
NAME
= 'kml'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
Writes the footer to the output.
-
plaso.output.l2t_csv module¶
Output module for the log2timeline (L2T) CSV format.
For documentation on the L2T CSV format see: http://forensicswiki.org/wiki/L2T_CSV
-
class
plaso.output.l2t_csv.
L2TCSVOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.LinearOutputModule
CSV format used by log2timeline, with 17 fixed fields.
-
DESCRIPTION
= 'CSV format used by legacy log2timeline, with 17 fixed fields.'¶
-
NAME
= 'l2tcsv'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
- Raises
NoFormatterFound – If no event formatter can be found to match the data type in the event data.object.
-
WriteEventMACBGroup
(event_macb_group)[source]¶ Writes an event MACB group to the output.
- Parameters
event_macb_group (list[EventObject]) – event MACB group.
-
plaso.output.logger module¶
The output sub module logger.
plaso.output.manager module¶
Output plugin manager.
-
class
plaso.output.manager.
OutputManager
[source]¶ Bases:
object
Output module manager.
-
classmethod
DeregisterOutput
(output_class)[source]¶ Deregisters an output class.
The output classes are identified based on their NAME attribute.
- Parameters
output_class (type) – output module class.
- Raises
KeyError – if output class is not set for the corresponding data type.
-
classmethod
GetDisabledOutputClasses
()[source]¶ Retrieves the disabled output classes and its associated name.
- Yields
tuple[str, type] – output module name and class.
-
classmethod
GetOutputClass
(name)[source]¶ Retrieves the output class for a specific name.
- Parameters
name (str) – name of the output module.
- Returns
output module class.
- Return type
type
- Raises
KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.
-
classmethod
GetOutputClasses
()[source]¶ Retrieves the available output classes its associated name.
- Yields
tuple[str, type] – output class name and type object.
-
classmethod
HasOutputClass
(name)[source]¶ Determines if a specific output class is registered with the manager.
- Parameters
name (str) – name of the output module.
- Returns
True if the output class is registered.
- Return type
bool
-
classmethod
IsLinearOutputModule
(name)[source]¶ Determines if a specific output class is a linear output module.
- Parameters
name (str) – name of the output module.
- Returns
if the output module is linear.
- Return type
True
-
classmethod
NewOutputModule
(name, output_mediator)[source]¶ Creates a new output module object for the specified output format.
- Parameters
name (str) – name of the output module.
output_mediator (OutputMediator) – output mediator.
- Returns
output module.
- Return type
- Raises
KeyError – if there is no output class found with the supplied name.
ValueError – if name is not a string.
-
classmethod
RegisterOutput
(output_class, disabled=False)[source]¶ Registers an output class.
The output classes are identified based on their NAME attribute.
- Parameters
output_class (type) – output module class.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.
- Raises
KeyError – if output class is already set for the corresponding name.
-
classmethod
RegisterOutputs
(output_classes, disabled=False)[source]¶ Registers output classes.
The output classes are identified based on their NAME attribute.
- Parameters
output_classes (list[type]) – output module classes.
disabled (Optional[bool]) – True if the output module is disabled due to the module not loading correctly or not.
- Raises
KeyError – if output class is already set for the corresponding name.
-
classmethod
plaso.output.mediator module¶
The output mediator object.
-
class
plaso.output.mediator.
OutputMediator
(knowledge_base, formatter_mediator, fields_filter=None, preferred_encoding='utf-8')[source]¶ Bases:
object
Output mediator.
-
fields_filter
¶ filter object that indicates which fields to output.
- Type
-
GetEventFormatter
(event)[source]¶ Retrieves the event formatter for a specific event type.
- Parameters
event (EventObject) – event.
- Returns
event formatter or None.
- Return type
-
GetFormattedMessages
(event)[source]¶ Retrieves the formatted messages related to the event.
- Parameters
event (EventObject) – event.
- Returns
containing:
str: full message string or None if no event formatter was found. str: short message string or None if no event formatter was found.
- Return type
tuple
-
GetFormattedSources
(event, event_data)[source]¶ Retrieves the formatted sources related to the event.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
- Returns
containing:
str: full source string or None if no event formatter was found. str: short source string or None if no event formatter was found.
- Return type
tuple
-
GetHostname
(event_data, default_hostname='-')[source]¶ Retrieves the hostname related to the event.
- Parameters
event_data (EventData) – event data.
default_hostname (Optional[str]) – default hostname.
- Returns
hostname.
- Return type
str
-
GetMACBRepresentation
(event, event_data)[source]¶ Retrieves the MACB representation.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
- Returns
MACB representation.
- Return type
str
-
GetMACBRepresentationFromDescriptions
(timestamp_descriptions)[source]¶ Determines the MACB representation from the timestamp descriptions.
MACB representation is a shorthand for representing one or more of modification, access, change, birth timestamp descriptions as the letters “MACB” or a “.” if the corresponding timestamp is not set.
Note that this is an output format shorthand and does not guarantee that the timestamps represent the same occurrence.
- Parameters
timestamp_descriptions (list[str]) – timestamp descriptions, which are defined in definitions.TIME_DESCRIPTIONS.
- Returns
MACB representation.
- Return type
str
-
GetUsername
(event_data, default_username='-')[source]¶ Retrieves the username related to the event.
- Parameters
event_data (EventData) – event data.
default_username (Optional[str]) – default username.
- Returns
username.
- Return type
str
-
SetTimezone
(timezone)[source]¶ Sets the timezone.
- Parameters
timezone (str) – timezone.
- Raises
ValueError – if the timezone is not supported.
-
encoding
¶ preferred encoding.
- Type
str
-
filter_expression
¶ filter expression if a filter is set, None otherwise.
- Type
str
-
timezone
¶ The timezone.
-
plaso.output.mysql_4n6time module¶
Defines the output module for the MySQL database used by 4n6time.
-
class
plaso.output.mysql_4n6time.
MySQL4n6TimeOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.shared_4n6time.Shared4n6TimeOutputModule
Class defining the MySQL database output module for 4n6time.
-
Close
()[source]¶ Disconnects from the database.
This method will create the necessary indices and commit outstanding transactions before disconnecting.
-
DESCRIPTION
= 'MySQL database output for the 4n6time tool.'¶
-
NAME
= '4n6time_mysql'¶
-
Open
()[source]¶ Connects to the database and creates the required tables.
- Raises
IOError – if the 4n6time tables cannot be created or data not inserted in the database.
OSError – if the 4n6time tables cannot be created or data not inserted in the database.
ValueError – if no database name given.
-
SetCredentials
(password=None, username=None)[source]¶ Sets the database credentials.
- Parameters
password (Optional[str]) – password to access the database.
username (Optional[str]) – username to access the database.
-
SetDatabaseName
(name)[source]¶ Sets the database name.
- Parameters
name (str) – name of the database.
-
SetServerInformation
(server, port)[source]¶ Sets the server information.
- Parameters
server (str) – hostname or IP address of the database server.
port (int) – port number of the database server.
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
plaso.output.null module¶
Null device output module.
-
class
plaso.output.null.
NullOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.OutputModule
Null device output module.
-
DESCRIPTION
= 'Output module that does not output anything.'¶
-
NAME
= 'null'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
plaso.output.rawpy module¶
Output module for the “raw” (or native) Python format.
-
class
plaso.output.rawpy.
NativePythonFormatterHelper
[source]¶ Bases:
object
Helper for outputting as “raw” (or native) Python.
-
classmethod
GetFormattedEvent
(event, event_data, event_tag)[source]¶ Retrieves a string representation of the event.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
- Returns
string representation of the event.
- Return type
str
-
classmethod
-
class
plaso.output.rawpy.
NativePythonOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.LinearOutputModule
Output module for the “raw” (or native) Python output format.
-
DESCRIPTION
= '"raw" (or native) Python output.'¶
-
NAME
= 'rawpy'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
plaso.output.sqlite_4n6time module¶
Defines the output module for the SQLite database used by 4n6time.
-
class
plaso.output.sqlite_4n6time.
SQLite4n6TimeOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.shared_4n6time.Shared4n6TimeOutputModule
Saves the data in a SQLite database, used by the tool 4n6time.
-
Close
()[source]¶ Disconnects from the database.
This method will create the necessary indices and commit outstanding transactions before disconnecting.
-
DESCRIPTION
= 'Saves the data in a SQLite database, used by the tool 4n6time.'¶
-
NAME
= '4n6time_sqlite'¶
-
Open
()[source]¶ Connects to the database and creates the required tables.
- Raises
IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if the filename is not set.
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
plaso.output.timesketch_out module¶
Timesketch output module.
-
class
plaso.output.timesketch_out.
TimesketchOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.shared_elastic.SharedElasticsearchOutputModule
Output module for Timesketch.
-
Close
()[source]¶ Closes the connection to TimeSketch Elasticsearch database.
Sends the remaining events for indexing and removes the processing status on the Timesketch search index object.
-
DESCRIPTION
= 'Create a Timesketch timeline.'¶
-
GetMissingArguments
()[source]¶ Retrieves a list of arguments that are missing from the input.
- Returns
- names of arguments that are required by the module and have
not been specified.
- Return type
list[str]
-
NAME
= 'timesketch'¶
-
SetTimelineName
(timeline_name)[source]¶ Sets the timeline name.
- Parameters
timeline_name (str) – timeline name.
-
plaso.output.tln module¶
Output module for the TLN format.
For documentation on the TLN format see: http://forensicswiki.org/wiki/TLN
-
class
plaso.output.tln.
L2TTLNOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.tln.TLNBaseOutputModule
Output module for the log2timeline extended variant of the TLN format.
l2tTLN is an extended variant of TLN introduced log2timeline 0.65.
l2tTLN extends basic TLN to 7 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data. * TZ - L2T 0.65 field. Timezone of the event. * Notes - L2T 0.65 field. Optional notes field or filename and inode.
-
DESCRIPTION
= 'Extended TLN 7 field | delimited output.'¶
-
NAME
= 'l2ttln'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
-
class
plaso.output.tln.
TLNBaseOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.LinearOutputModule
Base class for a TLN output module.
-
class
plaso.output.tln.
TLNOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.tln.TLNBaseOutputModule
Output module for the TLN format.
TLN defines 5 | separated fields, namely: * Time - 32-bit POSIX (or Unix) epoch timestamp. * Source - The name of the parser or plugin that produced the event. * Host - The source host system. * User - The user associated with the data. * Description - Message string describing the data.
-
DESCRIPTION
= 'TLN 5 field | delimited output.'¶
-
NAME
= 'tln'¶
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
plaso.output.xlsx module¶
Output module for the Excel Spreadsheet (XLSX) output format.
-
class
plaso.output.xlsx.
XLSXOutputModule
(output_mediator)[source]¶ Bases:
plaso.output.interface.OutputModule
Output module for the Excel Spreadsheet (XLSX) output format.
-
DESCRIPTION
= 'Excel Spreadsheet (XLSX) output'¶
-
NAME
= 'xlsx'¶
-
Open
()[source]¶ Creates a new workbook.
- Raises
IOError – if the specified output file already exists.
OSError – if the specified output file already exists.
ValueError – if the filename is not set.
-
SetFields
(fields)[source]¶ Sets the fields to output.
- Parameters
fields (list[str]) – names of the fields to output.
-
SetTimestampFormat
(timestamp_format)[source]¶ Set the timestamp format to use for the datetime column.
- Parameters
timestamp_format (str) – format string of date and time values.
-
WriteEventBody
(event, event_data, event_tag)[source]¶ Writes event values to the output.
- Parameters
event (EventObject) – event.
event_data (EventData) – event data.
event_tag (EventTag) – event tag.
-
Module contents¶
This file imports Python modules that register output modules.