Skip to content

Commit e4fa6ae

Browse files
Shreyans TiwariSpferical
Shreyans Tiwari
authored and
Spferical
committed
Added raw_message field in syslog
1 parent 742ce18 commit e4fa6ae

File tree

2 files changed

+89
-14
lines changed

2 files changed

+89
-14
lines changed

plaso/parsers/text_plugins/syslog.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ class SyslogLineEventData(events.EventData):
4646
last_written_time (dfdatetime.DateTimeValues): entry last written date and
4747
time.
4848
pid (str): process identifier of the reporter.
49+
raw_message (str): original message.
4950
reporter (str): reporter.
5051
severity (str): severity.
5152
"""
@@ -63,6 +64,7 @@ def __init__(self, data_type=DATA_TYPE):
6364
self.hostname = None
6465
self.last_written_time = None
6566
self.pid = None
67+
self.raw_message = None
6668
self.reporter = None
6769
self.severity = None
6870
self.facility = None
@@ -447,6 +449,7 @@ class SyslogTextPlugin(BaseSyslogTextPlugin):
447449
pyparsing.Optional(pyparsing.Suppress(':')) +
448450
pyparsing.Regex(_BODY_PATTERN, re.DOTALL).set_results_name('body') +
449451
_END_OF_LINE)
452+
_LOG_LINE = pyparsing.original_text_for(_LOG_LINE, as_string=False)
450453

451454
# The rsyslog protocol 23 format (RSYSLOG_SyslogProtocol23Format)
452455
# consists of:
@@ -473,6 +476,9 @@ class SyslogTextPlugin(BaseSyslogTextPlugin):
473476
pyparsing.Word(pyparsing.printables).set_results_name('structured_data') +
474477
pyparsing.Regex(_BODY_PATTERN, re.DOTALL).set_results_name('body') +
475478
_END_OF_LINE)
479+
_RSYSLOG_PROTOCOL_23_LINE = pyparsing.original_text_for(
480+
_RSYSLOG_PROTOCOL_23_LINE, as_string=False
481+
)
476482

477483
_LINE_STRUCTURES = [
478484
('log_line', _LOG_LINE),
@@ -527,6 +533,7 @@ def _ParseRecord(self, parser_mediator, key, structure):
527533
event_data.severity = severity
528534
event_data.facility = facility
529535
event_data.message_identifier = message_identifier
536+
event_data.raw_message = structure[0]
530537

531538
parser_mediator.ProduceEventData(event_data)
532539

@@ -727,6 +734,8 @@ class TraditionalSyslogTextPlugin(
727734
_KERNEL_SYSLOG_BODY ^ _RSYSLOG_BODY ^ _SYSLOG_COMMENT_BODY) +
728735
_END_OF_LINE)
729736

737+
_LOG_LINE = pyparsing.original_text_for(_LOG_LINE, as_string=False)
738+
730739
_LINE_STRUCTURES = [('log_line', _LOG_LINE)]
731740

732741
# Using a regular expression here is faster on non-match than the log line
@@ -769,6 +778,7 @@ def _ParseRecord(self, parser_mediator, key, structure):
769778
event_data.pid = self._GetValueFromStructure(structure, 'pid')
770779
event_data.reporter = reporter
771780
event_data.severity = self._GetValueFromStructure(structure, 'severity')
781+
event_data.raw_message = structure[0]
772782

773783
parser_mediator.ProduceEventData(event_data)
774784

tests/parsers/text_plugins/syslog.py

Lines changed: 79 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,12 @@ def testProcessChromeOS(self):
162162
'last_written_time': '2016-10-25T12:37:23.297265-07:00',
163163
'pid': 13707,
164164
'reporter': 'periodic_scheduler',
165-
'severity': 'INFO'}
165+
'severity': 'INFO',
166+
'raw_message': (
167+
'2016-10-25T12:37:23.297265-07:00 INFO periodic_scheduler[13707]:'
168+
' cleanup_logs: job completed\n'
169+
),
170+
}
166171

167172
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
168173
self.CheckEventData(event_data, expected_event_values)
@@ -190,7 +195,12 @@ def testProcessRsyslog(self):
190195
'hostname': 'localhost',
191196
'last_written_time': '2020-05-31T00:00:45.698463+00:00',
192197
'reporter': 'rsyslogd',
193-
'severity': None}
198+
'severity': None,
199+
'raw_message': (
200+
'2020-05-31T00:00:45.698463+00:00 localhost rsyslogd: message'
201+
' repeated 76 times: [-- MARK --]\n'
202+
),
203+
}
194204

195205
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
196206
self.CheckEventData(event_data, expected_event_values)
@@ -220,7 +230,12 @@ def testProcessRsyslogProtocol23(self):
220230
'reporter': 'log_tag',
221231
'severity': 'DEBUG',
222232
'facility': 'user-level message',
223-
'message_identifier': '123'}
233+
'message_identifier': '123',
234+
'raw_message': (
235+
'<15>1 2021-03-06T04:07:38.251122+00:00 hostname log_tag - 123 - '
236+
' this is debug\n'
237+
),
238+
}
224239

225240
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
226241
self.CheckEventData(event_data, expected_event_values)
@@ -377,7 +392,12 @@ def testProcess(self):
377392
'pid': 30840,
378393
'reporter': 'client',
379394
'severity': None,
380-
'facility': None}
395+
'facility': None,
396+
'raw_message': (
397+
'Jan 22 07:52:33 myhostname.myhost.com client[30840]: INFO No new'
398+
' content in ímynd.dd.\n'
399+
),
400+
}
381401

382402
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
383403
self.CheckEventData(event_data, expected_event_values)
@@ -389,7 +409,12 @@ def testProcess(self):
389409
'last_written_time': '0001-03-23T23:01:18',
390410
'reporter': 'somrandomexe',
391411
'severity': None,
392-
'facility': None}
412+
'facility': None,
413+
'raw_message': (
414+
'Mar 23 23:01:18.123 myhostname.myhost.com somrandomexe[19]: This'
415+
' syslog message has a fractional value for seconds.\n'
416+
),
417+
}
393418

394419
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 9)
395420
self.CheckEventData(event_data, expected_event_values)
@@ -416,7 +441,12 @@ def testProcessCron(self):
416441
'command': 'sleep $(( 1 * 60 )); touch /tmp/afile.txt',
417442
'data_type': 'syslog:cron:task_run',
418443
'last_written_time': '0000-03-11T19:26:39',
419-
'username': 'root'}
444+
'username': 'root',
445+
'raw_message': (
446+
'Mar 11 19:26:39 osx-machine CRON[3]: (root) CMD (sleep $(( 1 * 60'
447+
' )); touch /tmp/afile.txt)\n'
448+
),
449+
}
420450

421451
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1)
422452
self.CheckEventData(event_data, expected_event_values)
@@ -445,7 +475,13 @@ def testProcessDarwin(self):
445475
'last_written_time': '0000-03-11T19:26:39',
446476
'reporter': 'kernel',
447477
'severity': None,
448-
'facility': None}
478+
'facility': None,
479+
'raw_message': (
480+
'Mar 11 19:26:39 osx-machine kernel[0]:'
481+
' AppleThunderboltNHIType2::prePCIWake - power up complete - took 1'
482+
' us\n'
483+
),
484+
}
449485

450486
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
451487
self.CheckEventData(event_data, expected_event_values)
@@ -473,7 +509,9 @@ def testProcessRsyslogSysklogd(self):
473509
'hostname': 'hostname',
474510
'last_written_time': '0000-03-06T04:07:28',
475511
'reporter': 'log_tag',
476-
'severity': None}
512+
'severity': None,
513+
'raw_message': 'Mar 6 04:07:28 hostname log_tag this is debug\n',
514+
}
477515

478516
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
479517
self.CheckEventData(event_data, expected_event_values)
@@ -502,7 +540,12 @@ def testProcessRsyslogTraditional(self):
502540
'last_written_time': '0000-01-22T07:54:32',
503541
'reporter': 'Job',
504542
'severity': None,
505-
'facility': None}
543+
'facility': None,
544+
'raw_message': (
545+
"Jan 22 07:54:32 myhostname.myhost.com Job `cron.daily'"
546+
' terminated\n'
547+
),
548+
}
506549

507550
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
508551
self.CheckEventData(event_data, expected_event_values)
@@ -527,19 +570,31 @@ def testProcessSshd(self):
527570

528571
expected_event_values = {
529572
'data_type': 'syslog:line',
530-
'last_written_time': '0000-03-11T00:00:00'}
573+
'last_written_time': '0000-03-11T00:00:00',
574+
'raw_message': (
575+
'Mar 11 00:00:00 ubuntu2015 sshd[3]: Server listening on 0.0.0.0'
576+
' port 22.\n'
577+
),
578+
}
531579

532580
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
533581
self.CheckEventData(event_data, expected_event_values)
534582

535583
expected_event_values = {
536584
'body': (
537585
'Accepted publickey for plaso from 192.168.0.1 port 59229 ssh2: '
538-
'RSA 00:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99'),
586+
'RSA 00:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99'
587+
),
539588
'data_type': 'syslog:ssh:login',
540589
'fingerprint': 'RSA 00:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99',
541590
'ip_address': '192.168.0.1',
542-
'last_written_time': '0000-03-11T19:26:39'}
591+
'last_written_time': '0000-03-11T19:26:39',
592+
'raw_message': (
593+
'Mar 11 19:26:39 osx-machine sshd[3]: Accepted publickey for plaso'
594+
' from 192.168.0.1 port 59229 ssh2: RSA'
595+
' 00:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99\n'
596+
),
597+
}
543598

544599
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1)
545600
self.CheckEventData(event_data, expected_event_values)
@@ -548,15 +603,25 @@ def testProcessSshd(self):
548603
'data_type': 'syslog:ssh:failed_connection',
549604
'ip_address': '001:db8:a0b:12f0::1',
550605
'last_written_time': '0000-03-11T22:55:30',
551-
'port': '8759'}
606+
'port': '8759',
607+
'raw_message': (
608+
'Mar 11 22:55:30 ubuntu2015 sshd[3]: Failed publickey for plaso'
609+
' from 001:db8:a0b:12f0::1 port 8759\n'
610+
),
611+
}
552612

553613
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 3)
554614
self.CheckEventData(event_data, expected_event_values)
555615

556616
expected_event_values = {
557617
'data_type': 'syslog:ssh:opened_connection',
558618
'ip_address': '188.124.3.41',
559-
'last_written_time': '0000-03-11T22:55:31'}
619+
'last_written_time': '0000-03-11T22:55:31',
620+
'raw_message': (
621+
'Mar 11 22:55:31 ubuntu2015 sshd[3]: Connection from 188.124.3.41'
622+
' port 32889\n'
623+
),
624+
}
560625

561626
event_data = storage_writer.GetAttributeContainerByIndex('event_data', 4)
562627
self.CheckEventData(event_data, expected_event_values)

0 commit comments

Comments
 (0)