LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """This file contains a plugin for SSH syslog entries.""" | 2 """This file contains a plugin for cron syslog entries.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 import pyparsing | 6 import pyparsing |
7 | 7 |
8 from plaso.containers import time_events | 8 from plaso.containers import time_events |
9 from plaso.lib import definitions | 9 from plaso.lib import definitions |
10 from plaso.parsers import syslog | 10 from plaso.parsers import syslog |
11 from plaso.parsers.syslog_plugins import interface | 11 from plaso.parsers.syslog_plugins import interface |
12 | 12 |
13 | 13 |
14 class CronTaskRunEventData(syslog.SyslogLineEventData): | 14 class CronTaskRunEventData(syslog.SyslogLineEventData): |
15 """Cron task run event data. | 15 """Cron task run event data. |
16 | 16 |
17 Attributes: | 17 Attributes: |
18 command (str): command executed. | 18 command (str): command executed. |
19 username (str): name of user the command was executed. | 19 username (str): name of user the command was executed. |
20 """ | 20 """ |
21 | 21 |
22 DATA_TYPE = 'syslog:cron:task_run' | 22 DATA_TYPE = 'syslog:cron:task_run' |
23 | 23 |
24 def __init__(self): | 24 def __init__(self): |
25 """Initializes event data.""" | 25 """Initializes event data.""" |
26 super(CronTaskRunEventData, self).__init__(data_type=self.DATA_TYPE) | 26 super(CronTaskRunEventData, self).__init__(data_type=self.DATA_TYPE) |
27 self.command = None | 27 self.command = None |
28 self.username = None | 28 self.username = None |
29 | 29 |
30 | 30 |
31 class CronPlugin(interface.SyslogPlugin): | 31 class CronSyslogPlugin(interface.SyslogPlugin): |
32 """A syslog plugin for parsing cron messages.""" | 32 """A syslog plugin for parsing cron messages.""" |
| 33 |
33 NAME = 'cron' | 34 NAME = 'cron' |
34 | |
35 DESCRIPTION = 'Parser for syslog cron messages.' | 35 DESCRIPTION = 'Parser for syslog cron messages.' |
36 | |
37 REPORTER = 'CRON' | 36 REPORTER = 'CRON' |
38 | 37 |
39 _PYPARSING_COMPONENTS = { | 38 _PYPARSING_COMPONENTS = { |
40 'command': pyparsing.Combine( | 39 'command': pyparsing.Combine( |
41 pyparsing.SkipTo( | 40 pyparsing.SkipTo( |
42 pyparsing.Literal(')') + pyparsing.StringEnd())).setResultsName( | 41 pyparsing.Literal(')') + pyparsing.StringEnd())).setResultsName( |
43 'command'), | 42 'command'), |
44 'username': pyparsing.Word(pyparsing.alphanums).setResultsName( | 43 'username': pyparsing.Word(pyparsing.alphanums).setResultsName( |
45 'username'), | 44 'username'), |
46 } | 45 } |
(...skipping 12 matching lines...) Expand all Loading... |
59 | 58 |
60 Args: | 59 Args: |
61 parser_mediator (ParserMediator): mediates interactions between parsers | 60 parser_mediator (ParserMediator): mediates interactions between parsers |
62 and other components, such as storage and dfvfs. | 61 and other components, such as storage and dfvfs. |
63 key (str): name of the matching grammar. | 62 key (str): name of the matching grammar. |
64 date_time (dfdatetime.DateTimeValues): date and time values. | 63 date_time (dfdatetime.DateTimeValues): date and time values. |
65 tokens (dict[str, str]): tokens derived from a syslog message based on | 64 tokens (dict[str, str]): tokens derived from a syslog message based on |
66 the defined grammar. | 65 the defined grammar. |
67 | 66 |
68 Raises: | 67 Raises: |
69 AttributeError: If an unknown key is provided. | 68 ValueError: If an unknown key is provided. |
70 """ | 69 """ |
71 # TODO: change AttributeError into ValueError or equiv. | |
72 if key != 'task_run': | 70 if key != 'task_run': |
73 raise AttributeError('Unknown grammar key: {0:s}'.format(key)) | 71 raise ValueError('Unknown grammar key: {0:s}'.format(key)) |
74 | 72 |
75 event_data = CronTaskRunEventData() | 73 event_data = CronTaskRunEventData() |
76 event_data.body = tokens.get('body', None) | 74 event_data.body = tokens.get('body', None) |
77 event_data.command = tokens.get('command', None) | 75 event_data.command = tokens.get('command', None) |
78 event_data.hostname = tokens.get('hostname', None) | 76 event_data.hostname = tokens.get('hostname', None) |
79 # TODO: pass line number to offset or remove. | 77 # TODO: pass line number to offset or remove. |
80 event_data.offset = 0 | 78 event_data.offset = 0 |
81 event_data.pid = tokens.get('pid', None) | 79 event_data.pid = tokens.get('pid', None) |
82 event_data.reporter = tokens.get('reporter', None) | 80 event_data.reporter = tokens.get('reporter', None) |
83 event_data.severity = tokens.get('severity', None) | 81 event_data.severity = tokens.get('severity', None) |
84 event_data.username = tokens.get('username', None) | 82 event_data.username = tokens.get('username', None) |
85 | 83 |
86 event = time_events.DateTimeValuesEvent( | 84 event = time_events.DateTimeValuesEvent( |
87 date_time, definitions.TIME_DESCRIPTION_WRITTEN) | 85 date_time, definitions.TIME_DESCRIPTION_WRITTEN) |
88 parser_mediator.ProduceEventWithEventData(event, event_data) | 86 parser_mediator.ProduceEventWithEventData(event, event_data) |
89 | 87 |
90 | 88 |
91 syslog.SyslogParser.RegisterPlugin(CronPlugin) | 89 syslog.SyslogParser.RegisterPlugin(CronSyslogPlugin) |
LEFT | RIGHT |