Index: plaso/parsers/utmp.yaml |
diff --git a/plaso/parsers/utmp.yaml b/plaso/parsers/utmp.yaml |
new file mode 100644 |
index 0000000000000000000000000000000000000000..f920e9c959d9d620bf9c9c89bcecf0546eb1ccca |
--- /dev/null |
+++ b/plaso/parsers/utmp.yaml |
@@ -0,0 +1,74 @@ |
+name: utmp |
+type: format |
+description: Utmp login records format |
+urls: ["https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc"] |
+--- |
+name: byte |
+type: integer |
+attributes: |
+ format: unsigned |
+ size: 1 |
+ units: bytes |
+--- |
+name: int16 |
+type: integer |
+attributes: |
+ format: signed |
+ size: 2 |
+ units: bytes |
+--- |
+name: int32 |
+type: integer |
+attributes: |
+ format: signed |
+ size: 4 |
+ units: bytes |
+--- |
+name: uint32 |
+type: integer |
+attributes: |
+ format: unsigned |
+ size: 4 |
+ units: bytes |
+--- |
+name: utmp_entry |
+type: structure |
+attributes: |
+ byte_order: little-endian |
+members: |
+- name: type |
+ data_type: int32 |
+- name: pid |
+ data_type: uint32 |
+- name: terminal |
+ type: stream |
+ element_data_type: byte |
+ number_of_elements: 32 |
+- name: terminal_identifier |
+ data_type: uint32 |
+- name: username |
+ type: stream |
+ element_data_type: byte |
+ number_of_elements: 32 |
+- name: hostname |
+ type: stream |
+ element_data_type: byte |
+ number_of_elements: 256 |
+- name: termination_status |
+ data_type: int16 |
+- name: exit_status |
+ data_type: int16 |
+- name: session |
+ data_type: int32 |
+- name: timestamp |
+ data_type: int32 |
+- name: microseconds |
+ data_type: int32 |
+- name: ip_address |
+ type: sequence |
+ element_data_type: byte |
+ number_of_elements: 16 |
+- name: unknown1 |
+ type: stream |
+ element_data_type: byte |
+ number_of_elements: 20 |