plaso.parsers.syslog_plugins package

Submodules

plaso.parsers.syslog_plugins.cron module

This file contains a plugin for cron syslog entries.

class plaso.parsers.syslog_plugins.cron.CronSyslogPlugin[source]

Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A syslog plugin for parsing cron messages.

DESCRIPTION = 'Parser for syslog cron messages.'
MESSAGE_GRAMMARS = [('task_run', {{{{{{{"(" W:(ABCD...)} ")"} "CMD"} "("} Combine:(SkipTo:({")" StringEnd}))} ")"} StringEnd})]
NAME = 'cron'
ParseMessage(parser_mediator, key, date_time, tokens)[source]

Parses a syslog body that matched one of defined grammars.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • key (str) – name of the matching grammar.
  • date_time (dfdatetime.DateTimeValues) – date and time values.
  • tokens (dict[str, str]) – tokens derived from a syslog message based on the defined grammar.
Raises:

ValueError – If an unknown key is provided.
REPORTER = 'CRON'
class plaso.parsers.syslog_plugins.cron.CronTaskRunEventData[source]

Bases: plaso.parsers.syslog.SyslogLineEventData

Cron task run event data.

command

str – command executed.

username

str – name of user the command was executed.

DATA_TYPE = 'syslog:cron:task_run'

plaso.parsers.syslog_plugins.interface module

This file contains the interface for syslog plugins.

class plaso.parsers.syslog_plugins.interface.SyslogPlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

The interface for syslog plugins.

DESCRIPTION = ''
MESSAGE_GRAMMARS = []
NAME = 'syslog_plugin'
ParseMessage(parser_mediator, key, date_time, tokens)[source]

Parses a syslog body that matched one of the grammars the plugin defined.

Parameters:
  • parser_mediator (ParserMediator) – mediates the interactions between parsers and other components, such as storage and abort signals.
  • key (str) – name of the parsed structure.
  • date_time (dfdatetime.DateTimeValues) – date and time values.
  • tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.
Process(parser_mediator, date_time, syslog_tokens, **kwargs)[source]

Processes the data structure produced by the parser.

Parameters:
  • parser_mediator (ParserMediator) – mediates the interactions between parsers and other components, such as storage and abort signals.
  • date_time (dfdatetime.DateTimeValues) – date and time values.
  • syslog_tokens (dict[str, str]) – names of the fields extracted by the syslog parser and the matching grammar, and values are the values of those fields.
Raises:
  • AttributeError – If the syslog_tokens do not include a ‘body’ attribute.
  • WrongPlugin – If the plugin is unable to parse the syslog tokens.
REPORTER = ''

plaso.parsers.syslog_plugins.ssh module

This file contains a plugin for SSH syslog entries.

class plaso.parsers.syslog_plugins.ssh.SSHEventData[source]

Bases: plaso.parsers.syslog.SyslogLineEventData

SSH event data.

address

str – IP address.

authentication_method

str – authentication method.

fingerprint

str – fingerprint.

port

str – port.

protocol

str – protocol.

username

str – name of user the command was executed.

class plaso.parsers.syslog_plugins.ssh.SSHFailedConnectionEventData[source]

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH failed connection event data.

DATA_TYPE = 'syslog:ssh:failed_connection'
class plaso.parsers.syslog_plugins.ssh.SSHLoginEventData[source]

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH login event data.

DATA_TYPE = 'syslog:ssh:login'
class plaso.parsers.syslog_plugins.ssh.SSHOpenedConnectionEventData[source]

Bases: plaso.parsers.syslog_plugins.ssh.SSHEventData

SSH opened connection event data.

DATA_TYPE = 'syslog:ssh:opened_connection'
class plaso.parsers.syslog_plugins.ssh.SSHSyslogPlugin[source]

Bases: plaso.parsers.syslog_plugins.interface.SyslogPlugin

A plugin for creating events from syslog message produced by SSH.

DESCRIPTION = 'Parser for SSH syslog entries.'
MESSAGE_GRAMMARS = [('login', {{{{{{{{{{"Accepted" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}} "port"} W:(0123...)} "ssh2"} [{":" Combine:({"RSA " W:(:012...)})}]} StringEnd}), ('failed_connection', {{{{{{{{"Failed" {"password" | "publickey"}} "for"} W:(ABCD...)} "from"} {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}} "port"} W:(0123...)} StringEnd}), ('opened_connection', {{{{"Connection from" {{W:(0123...) {{"." W:(0123...)} {"." W:(0123...)} {"." W:(0123...)}}} | W:(:012...)}} "port"} W:(0123...)} LineEnd})]
NAME = 'ssh'
ParseMessage(parser_mediator, key, date_time, tokens)[source]

Produces an event from a syslog body that matched one of the grammars.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • key (str) – name of the matching grammar.
  • date_time (dfdatetime.DateTimeValues) – date and time values.
  • tokens (dict[str, str]) – tokens derived from a syslog message based on the defined grammar.
Raises:

ValueError – If an unknown key is provided.
REPORTER = 'sshd'

Module contents

Imports for the syslog parser.