OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """This file contains a plugin for SSH syslog entries.""" | 2 """This file contains a plugin for cron syslog entries.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 import pyparsing | 6 import pyparsing |
7 | 7 |
8 from plaso.containers import time_events | 8 from plaso.containers import time_events |
9 from plaso.lib import definitions | 9 from plaso.lib import definitions |
10 from plaso.parsers import syslog | 10 from plaso.parsers import syslog |
11 from plaso.parsers.syslog_plugins import interface | 11 from plaso.parsers.syslog_plugins import interface |
12 | 12 |
13 | 13 |
14 class CronTaskRunEventData(syslog.SyslogLineEventData): | 14 class CronTaskRunEventData(syslog.SyslogLineEventData): |
15 """Cron task run event data. | 15 """Cron task run event data. |
16 | 16 |
17 Attributes: | 17 Attributes: |
18 command (str): command executed. | 18 command (str): command executed. |
19 username (str): name of user the command was executed. | 19 username (str): name of user the command was executed. |
20 """ | 20 """ |
21 | 21 |
22 DATA_TYPE = 'syslog:cron:task_run' | 22 DATA_TYPE = 'syslog:cron:task_run' |
23 | 23 |
24 def __init__(self): | 24 def __init__(self): |
25 """Initializes event data.""" | 25 """Initializes event data.""" |
26 super(CronTaskRunEventData, self).__init__(data_type=self.DATA_TYPE) | 26 super(CronTaskRunEventData, self).__init__(data_type=self.DATA_TYPE) |
27 self.command = None | 27 self.command = None |
28 self.username = None | 28 self.username = None |
29 | 29 |
30 | 30 |
31 class CronPlugin(interface.SyslogPlugin): | 31 class CronSyslogPlugin(interface.SyslogPlugin): |
32 """A syslog plugin for parsing cron messages.""" | 32 """A syslog plugin for parsing cron messages.""" |
| 33 |
33 NAME = 'cron' | 34 NAME = 'cron' |
34 | |
35 DESCRIPTION = 'Parser for syslog cron messages.' | 35 DESCRIPTION = 'Parser for syslog cron messages.' |
36 | |
37 REPORTER = 'CRON' | 36 REPORTER = 'CRON' |
38 | 37 |
39 _PYPARSING_COMPONENTS = { | 38 _PYPARSING_COMPONENTS = { |
40 'command': pyparsing.Combine( | 39 'command': pyparsing.Combine( |
41 pyparsing.SkipTo( | 40 pyparsing.SkipTo( |
42 pyparsing.Literal(')') + pyparsing.StringEnd())).setResultsName( | 41 pyparsing.Literal(')') + pyparsing.StringEnd())).setResultsName( |
43 'command'), | 42 'command'), |
44 'username': pyparsing.Word(pyparsing.alphanums).setResultsName( | 43 'username': pyparsing.Word(pyparsing.alphanums).setResultsName( |
45 'username'), | 44 'username'), |
46 } | 45 } |
(...skipping 13 matching lines...) Expand all Loading... |
60 Args: | 59 Args: |
61 parser_mediator (ParserMediator): mediates interactions between parsers | 60 parser_mediator (ParserMediator): mediates interactions between parsers |
62 and other components, such as storage and dfvfs. | 61 and other components, such as storage and dfvfs. |
63 key (str): name of the matching grammar. | 62 key (str): name of the matching grammar. |
64 timestamp (int): the timestamp, which contains the number of micro seconds | 63 timestamp (int): the timestamp, which contains the number of micro seconds |
65 since January 1, 1970, 00:00:00 UTC or 0 on error. | 64 since January 1, 1970, 00:00:00 UTC or 0 on error. |
66 tokens (dict[str, str]): tokens derived from a syslog message based on | 65 tokens (dict[str, str]): tokens derived from a syslog message based on |
67 the defined grammar. | 66 the defined grammar. |
68 | 67 |
69 Raises: | 68 Raises: |
70 AttributeError: If an unknown key is provided. | 69 ValueError: If an unknown key is provided. |
71 """ | 70 """ |
72 # TODO: change AttributeError into ValueError or equiv. | |
73 if key != 'task_run': | 71 if key != 'task_run': |
74 raise AttributeError('Unknown grammar key: {0:s}'.format(key)) | 72 raise ValueError('Unknown grammar key: {0:s}'.format(key)) |
75 | 73 |
76 event_data = CronTaskRunEventData() | 74 event_data = CronTaskRunEventData() |
77 event_data.body = tokens.get('body', None) | 75 event_data.body = tokens.get('body', None) |
78 event_data.command = tokens.get('command', None) | 76 event_data.command = tokens.get('command', None) |
79 event_data.hostname = tokens.get('hostname', None) | 77 event_data.hostname = tokens.get('hostname', None) |
80 # TODO: pass line number to offset or remove. | 78 # TODO: pass line number to offset or remove. |
81 event_data.offset = 0 | 79 event_data.offset = 0 |
82 event_data.pid = tokens.get('pid', None) | 80 event_data.pid = tokens.get('pid', None) |
83 event_data.reporter = tokens.get('reporter', None) | 81 event_data.reporter = tokens.get('reporter', None) |
84 event_data.severity = tokens.get('severity', None) | 82 event_data.severity = tokens.get('severity', None) |
85 event_data.username = tokens.get('username', None) | 83 event_data.username = tokens.get('username', None) |
86 | 84 |
87 event = time_events.TimestampEvent( | 85 event = time_events.TimestampEvent( |
88 timestamp, definitions.TIME_DESCRIPTION_WRITTEN) | 86 timestamp, definitions.TIME_DESCRIPTION_WRITTEN) |
89 parser_mediator.ProduceEventWithEventData(event, event_data) | 87 parser_mediator.ProduceEventWithEventData(event, event_data) |
90 | 88 |
91 | 89 |
92 syslog.SyslogParser.RegisterPlugin(CronPlugin) | 90 syslog.SyslogParser.RegisterPlugin(CronSyslogPlugin) |
OLD | NEW |