diff --git a/config/tests/generate_test_files.sh b/config/tests/generate_test_files.sh index 4a3879a4c4..264ac99430 100755 --- a/config/tests/generate_test_files.sh +++ b/config/tests/generate_test_files.sh @@ -16,15 +16,19 @@ fi rm -rf build/ dist/; -./setup.py -q sdist_test_data; +cp MANIFEST.test_data.in MANIFEST.in + +./setup.py -q sdist; if test $? -ne ${EXIT_SUCCESS}; then - echo "Unable to run: ./setup.py sdist_test_data"; + echo "Unable to run: ./setup.py sdist"; exit ${EXIT_FAILURE}; fi +git checkout MANIFEST.in + SDIST_PACKAGE=`ls -1 dist/plaso-*.tar.gz | head -n1 | sed 's?^dist/??'`; if ! test "dist/${SDIST_PACKAGE}"; @@ -72,8 +76,8 @@ cp -rf ${SOURCE_DIRECTORY}/* .; TEST_FILE="psort_test.plaso"; # Syslog does not contain a year we must pass preferred year to prevent the parser failing early on non-leap years. -PYTHONPATH=. python ./tools/log2timeline.py --buffer_size=300 --quiet --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog; -PYTHONPATH=. python ./tools/log2timeline.py --quiet --timezone=Iceland --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog; +PYTHONPATH=. python ./plaso/scripts/log2timeline.py --buffer_size=300 --quiet --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog/syslog; +PYTHONPATH=. python ./plaso/scripts/log2timeline.py --quiet --timezone=Iceland --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog/syslog; cat > tagging.txt < tagging.txt < self._session_end_timestamp): diff --git a/plaso/analysis/tagging.py b/plaso/analysis/tagging.py index b85fbea91c..2c7c393789 100644 --- a/plaso/analysis/tagging.py +++ b/plaso/analysis/tagging.py @@ -17,7 +17,8 @@ def __init__(self): self._tagging_rules = None def ExamineEvent( - self, analysis_mediator, event, event_data, event_data_stream): + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Labels events according to the rules in a tagging file. Args: @@ -26,13 +27,15 @@ def ExamineEvent( event (EventObject): event to examine. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ matched_label_names = [] - for label_name, filter_objects in self._tagging_rules.items(): - for filter_object in filter_objects: - # Note that tagging events based on existing labels is currently - # not supported. - if filter_object.Match(event, event_data, event_data_stream, None): + for label_name, event_filters in self._tagging_rules.items(): + for event_filter in event_filters: + # Note that tagging events based on existing labels is currently not + # supported. + if event_filter.Match( + event, event_data, event_data_stream, event_values, None): matched_label_names.append(label_name) break diff --git a/plaso/analysis/test_memory.py b/plaso/analysis/test_memory.py index b6ccb1fa54..73c3cce1b4 100644 --- a/plaso/analysis/test_memory.py +++ b/plaso/analysis/test_memory.py @@ -35,7 +35,8 @@ def CompileReport(self, analysis_mediator): # pylint: disable=unused-argument def ExamineEvent( - self, analysis_mediator, event, event_data, event_data_stream): + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Analyzes an event. Args: @@ -44,6 +45,7 @@ def ExamineEvent( event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ self._objects.append(list(range(1024))) diff --git a/plaso/analysis/unique_domains_visited.py b/plaso/analysis/unique_domains_visited.py index 9eccbcd133..3ddd8b28b7 100644 --- a/plaso/analysis/unique_domains_visited.py +++ b/plaso/analysis/unique_domains_visited.py @@ -31,7 +31,8 @@ class UniqueDomainsVisitedPlugin(interface.AnalysisPlugin): # pylint: disable=unused-argument def ExamineEvent( - self, analysis_mediator, event, event_data, event_data_stream): + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Analyzes an event and extracts domains from it. We only evaluate straightforward web history events, not visits which can @@ -43,6 +44,7 @@ def ExamineEvent( event (EventObject): event to examine. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ if event_data.data_type not in self._SUPPORTED_EVENT_DATA_TYPES: return diff --git a/plaso/containers/events.py b/plaso/containers/events.py index c8c1c5592e..3c87650e45 100644 --- a/plaso/containers/events.py +++ b/plaso/containers/events.py @@ -4,8 +4,8 @@ import hashlib import re -from acstore.containers import interface -from acstore.containers import manager +from acstore.containers import interface as containers_interface +from acstore.containers import manager as containers_manager from dfdatetime import interface as dfdatetime_interface @@ -28,8 +28,8 @@ def CalculateEventValuesHash(event_data, event_data_stream): for attribute_name, attribute_value in sorted(event_data.GetAttributes()): if attribute_value is None or attribute_name in ( - '_event_data_stream_identifier', '_event_values_hash', '_parser_chain', - 'data_type'): + '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'data_type'): continue # Ignore date and time values. @@ -82,7 +82,7 @@ def CalculateEventValuesHash(event_data, event_data_stream): return md5_context.hexdigest() -class DateLessLogHelper(interface.AttributeContainer): +class DateLessLogHelper(containers_interface.AttributeContainer): """Attribute container to assist with logs without full dates. Attributes: @@ -197,7 +197,7 @@ def SetEventDataStreamIdentifier(self, event_data_stream_identifier): self._event_data_stream_identifier = event_data_stream_identifier -class EventData(interface.AttributeContainer): +class EventData(containers_interface.AttributeContainer): """Event data attribute container. The event data attribute container represents the attributes of an entity, @@ -212,6 +212,7 @@ class EventData(interface.AttributeContainer): _SERIALIZABLE_PROTECTED_ATTRIBUTES = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain'] def __init__(self, data_type=None): @@ -223,6 +224,7 @@ def __init__(self, data_type=None): super(EventData, self).__init__() self._event_data_stream_identifier = None self._event_values_hash = None + self._event_values_identifier = None self._parser_chain = None self.data_type = data_type @@ -280,8 +282,31 @@ def SetEventDataStreamIdentifier(self, event_data_stream_identifier): """ self._event_data_stream_identifier = event_data_stream_identifier + def GetEventValuesIdentifier(self): + """Retrieves the identifier of the associated event values container. -class EventDataStream(interface.AttributeContainer): + The event values identifier is a storage specific value that requires + special handling during serialization. + + Returns: + AttributeContainerIdentifier: event values or None when not set. + """ + return self._event_values_identifier + + def SetEventValuesIdentifier(self, event_values_identifier): + """Sets the identifier of the associated event values container. + + The event values identifier is a storage specific value that requires + special handling during serialization. + + Args: + event_values_identifier (AttributeContainerIdentifier): event values + identifier. + """ + self._event_values_identifier = event_values_identifier + + +class EventDataStream(containers_interface.AttributeContainer): """Event data stream attribute container. The event data stream attribute container represents the attributes of @@ -318,7 +343,7 @@ def __init__(self): self.yara_match = None -class EventObject(interface.AttributeContainer): +class EventObject(containers_interface.AttributeContainer): """Event attribute container. The framework is designed to parse files and create events @@ -392,7 +417,7 @@ def SetEventDataIdentifier(self, event_data_identifier): self._event_data_identifier = event_data_identifier -class EventTag(interface.AttributeContainer): +class EventTag(containers_interface.AttributeContainer): """Event tag attribute container. Attributes: @@ -501,7 +526,7 @@ def SetEventIdentifier(self, event_identifier): # TODO: the YearLessLogHelper attribute container is kept for backwards # compatibility remove once storage format 20230327 is obsolete. -class YearLessLogHelper(interface.AttributeContainer): +class YearLessLogHelper(containers_interface.AttributeContainer): """Year-less log helper attribute container. Attributes: @@ -555,6 +580,6 @@ def SetEventDataStreamIdentifier(self, event_data_stream_identifier): self._event_data_stream_identifier = event_data_stream_identifier -manager.AttributeContainersManager.RegisterAttributeContainers([ +containers_manager.AttributeContainersManager.RegisterAttributeContainers([ DateLessLogHelper, EventData, EventDataStream, EventObject, EventTag, YearLessLogHelper]) diff --git a/plaso/filters/event_filter.py b/plaso/filters/event_filter.py index 064a93eaee..2ee663e924 100644 --- a/plaso/filters/event_filter.py +++ b/plaso/filters/event_filter.py @@ -30,13 +30,15 @@ def CompileFilter(self, filter_expression): self._event_filter = expression.Compile() self._filter_expression = filter_expression - def Match(self, event, event_data, event_data_stream, event_tag): + def Match( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if an event matches the filter. Args: event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag. Returns: @@ -46,4 +48,4 @@ def Match(self, event, event_data, event_data_stream, event_tag): return True return self._event_filter.Matches( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) diff --git a/plaso/filters/filters.py b/plaso/filters/filters.py index 1c4d4b9cfc..3405b334e7 100644 --- a/plaso/filters/filters.py +++ b/plaso/filters/filters.py @@ -54,13 +54,15 @@ def _CopyValueToString(self, value): return value @abc.abstractmethod - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -74,13 +76,15 @@ class AndFilter(Filter): Note that if no conditions are passed, all objects will pass. """ - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -88,7 +92,7 @@ def Matches(self, event, event_data, event_data_stream, event_tag): """ for sub_filter in self.args: match = sub_filter.Matches( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) if not match: return False return True @@ -100,13 +104,15 @@ class OrFilter(Filter): Note that if no conditions are passed, all objects will pass. """ - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -117,7 +123,7 @@ def Matches(self, event, event_data, event_data_stream, event_tag): for sub_filter in self.args: match = sub_filter.Matches( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) if match: return True return False @@ -127,13 +133,15 @@ class Operator(Filter): """Interface for filters that represent operators.""" @abc.abstractmethod - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -144,13 +152,15 @@ def Matches(self, event, event_data, event_data_stream, event_tag): class IdentityFilter(Operator): """A filter which always evaluates to True.""" - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -187,13 +197,15 @@ def __init__(self, arguments=None, **kwargs): self.right_operand = arguments[1] @abc.abstractmethod - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -233,7 +245,8 @@ def _CompareValue(self, event_value, filter_value): """ def _GetValue( - self, attribute_name, event, event_data, event_data_stream, event_tag): + self, attribute_name, event, event_data, event_data_stream, event_values, + event_tag): """Retrieves the value of a specific event, data or tag attribute. Args: @@ -241,6 +254,7 @@ def _GetValue( event (EventObject): event to retrieve the value from. event_data (EventData): event data to retrieve the value from. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to retrieve the value from. Returns: @@ -270,6 +284,9 @@ def _GetValue( elif attribute_name == 'tag': attribute_value = getattr(event_tag, 'labels', None) + elif event_values and attribute_name != 'data_type': + attribute_value = getattr(event_values, attribute_name, None) + else: attribute_value = getattr(event_data, attribute_name, None) @@ -280,20 +297,23 @@ def FlipBool(self): logger.debug('Negative matching.') self._bool_value = not self._bool_value - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: bool: True if the event, data and tag match the filter, False otherwise. """ value = self._GetValue( - self.left_operand, event, event_data, event_data_stream, event_tag) + self.left_operand, event, event_data, event_data_stream, event_values, + event_tag) if value and self._CompareValue(value, self.right_operand): return self._bool_value diff --git a/plaso/multi_process/analysis_engine.py b/plaso/multi_process/analysis_engine.py index 9108e4a6c1..e0433723dc 100644 --- a/plaso/multi_process/analysis_engine.py +++ b/plaso/multi_process/analysis_engine.py @@ -126,12 +126,21 @@ def _AnalyzeEvents(self, storage_writer, analysis_plugins, event_filter=None): else: event_data_stream = None + event_values_identifier = event_data.GetEventValuesIdentifier() + if event_values_identifier: + # TODO: get container_type from event_data.data_type + container_type = None + event_values = storage_writer.GetAttributeContainerByIdentifier( + container_type, event_values_identifier) + else: + event_values = None + event_identifier = event.GetIdentifier() event_tag = storage_writer.GetEventTagByEventIdentifer(event_identifier) if event_filter: filter_match = event_filter.Match( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) else: filter_match = None @@ -142,7 +151,8 @@ def _AnalyzeEvents(self, storage_writer, analysis_plugins, event_filter=None): for event_queue in self._event_queues.values(): # TODO: Check for premature exit of analysis plugins. - event_queue.PushItem((event, event_data, event_data_stream)) + event_queue.PushItem( + (event, event_data, event_data_stream, event_values)) self._number_of_consumed_events += 1 diff --git a/plaso/multi_process/analysis_process.py b/plaso/multi_process/analysis_process.py index feff39ec7a..7b2dcd52bd 100644 --- a/plaso/multi_process/analysis_process.py +++ b/plaso/multi_process/analysis_process.py @@ -230,7 +230,8 @@ def _Main(self): except errors.QueueAlreadyClosed: logger.error('Queue for {0:s} was already closed.'.format(self.name)) - def _ProcessEvent(self, mediator, event, event_data, event_data_stream): + def _ProcessEvent( + self, mediator, event, event_data, event_data_stream, event_values): """Processes an event. Args: @@ -239,10 +240,11 @@ def _ProcessEvent(self, mediator, event, event_data, event_data_stream): event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ try: self._analysis_plugin.ExamineEvent( - mediator, event, event_data, event_data_stream) + mediator, event, event_data, event_data_stream, event_values) except Exception as exception: # pylint: disable=broad-except # TODO: write analysis error and change logger to debug only. diff --git a/plaso/multi_process/extraction_engine.py b/plaso/multi_process/extraction_engine.py index 70ae8081f1..c209507c69 100644 --- a/plaso/multi_process/extraction_engine.py +++ b/plaso/multi_process/extraction_engine.py @@ -449,15 +449,33 @@ def _MergeAttributeContainer(self, storage_writer, merge_helper, container): f'message file: {message_file_lookup_key:s} could not be found.')) return - lookup_key = None - if container.CONTAINER_TYPE in ( - self._CONTAINER_TYPE_EVENT_DATA, - self._CONTAINER_TYPE_EVENT_DATA_STREAM, - 'windows_eventlog_message_file'): - # Preserve the lookup key before adding it to the attribute container - # store. - identifier = container.GetIdentifier() - lookup_key = identifier.CopyToString() + if container.CONTAINER_TYPE == self._CONTAINER_TYPE_EVENT_DATA: + event_values_identifier = container.GetEventValuesIdentifier() + event_values_lookup_key = None + if event_values_identifier: + event_values_lookup_key = event_values_identifier.CopyToString() + + event_values_identifier = merge_helper.GetAttributeContainerIdentifier( + event_values_lookup_key) + + if event_values_identifier: + container.SetEventValuesIdentifier(event_values_identifier) + elif event_values_lookup_key: + identifier = container.GetIdentifier() + identifier_string = identifier.CopyToString() + + # TODO: store this as a merge warning so this is preserved + # in the storage file. + logger.error(( + f'Unable to merge {container.CONTAINER_TYPE:s} attribute ' + f'container: {identifier_string:s} since corresponding event ' + f'values: {event_values_lookup_key:s} could not be found.')) + return + + # For attribute containers that are referenced from other containers, + # preserve the lookup key before adding it to the attribute container store. + lookup_key, identifier = merge_helper.PreserveAttributeContainerIdentifier( + container) storage_writer.AddAttributeContainer(container) diff --git a/plaso/multi_process/merge_helpers.py b/plaso/multi_process/merge_helpers.py index cfc43115fc..208b638033 100644 --- a/plaso/multi_process/merge_helpers.py +++ b/plaso/multi_process/merge_helpers.py @@ -68,7 +68,7 @@ def GetAttributeContainer(self): return container def GetAttributeContainerIdentifier(self, lookup_key): - """Retrieves an attribute container. + """Retrieves an attribute container identifier. Args: lookup_key (str): lookup key that identifies the attribute container. @@ -80,7 +80,7 @@ def GetAttributeContainerIdentifier(self, lookup_key): return self._container_identifier_mappings.get(lookup_key, None) def SetAttributeContainerIdentifier(self, lookup_key, identifier): - """Sets an attribute container. + """Sets an attribute container identifier. Args: lookup_key (str): lookup key that identifies the attribute container. @@ -120,9 +120,79 @@ class ExtractionTaskMergeHelper(BaseTaskMergeHelper): # data by the timeliner and therefore needs to be merged before event # data containers. events.DateLessLogHelper.CONTAINER_TYPE, - events.EventData.CONTAINER_TYPE, warnings.ExtractionWarning.CONTAINER_TYPE, warnings.RecoveryWarning.CONTAINER_TYPE, artifacts.WindowsEventLogMessageFileArtifact.CONTAINER_TYPE, artifacts.WindowsEventLogMessageStringArtifact.CONTAINER_TYPE, artifacts.WindowsWevtTemplateEvent.CONTAINER_TYPE) + + def __init__(self, task_storage_reader, task_identifier): + """Initialize a helper for merging task related attribute containers. + + Args: + task_storage_reader (StorageReader): task storage reader. + task_identifier (str): identifier of the task that is merged. + """ + super(ExtractionTaskMergeHelper, self).__init__( + task_storage_reader, task_identifier) + self._event_values_container_types = set() + + def _GetAttributeContainers(self, task_storage_reader): + """Retrieves attribute containers to merge. + + Args: + task_storage_reader (StorageReader): task storage reader. + + Yields: + AttributeContainer: attribute container. + """ + self._event_values_container_types = set() + for container in task_storage_reader.GetAttributeContainers( + events.EventData.CONTAINER_TYPE): + event_values_identifier = container.GetEventValuesIdentifier() + if event_values_identifier: + self._event_values_container_types.add(event_values_identifier.name) + + for container_type in self._CONTAINER_TYPES: + for container in task_storage_reader.GetAttributeContainers( + container_type): + yield container + + # Merge event values attribute containers before the event data that + # references it. + for container_type in self._event_values_container_types: + for container in task_storage_reader.GetAttributeContainers( + container_type): + yield container + + for container in task_storage_reader.GetAttributeContainers( + events.EventData.CONTAINER_TYPE): + yield container + + self.fully_merged = True + + def PreserveAttributeContainerIdentifier(self, container): + """Preserves an attribute container identifier. + + Args: + container (AttributeContainer): attribute container. + + Returns: + tuple[str, AttributeContainerIdentifier]: lookup key and corresponding + attribute container identifier or None, None if the attribute + container does not require to be mapped. + """ + if container.CONTAINER_TYPE in ( + artifacts.WindowsEventLogMessageFileArtifact.CONTAINER_TYPE, + events.EventData.CONTAINER_TYPE, + events.EventDataStream.CONTAINER_TYPE): + identifier = container.GetIdentifier() + lookup_key = identifier.CopyToString() + return lookup_key, identifier + + if container.CONTAINER_TYPE in self._event_values_container_types: + identifier = container.GetIdentifier() + lookup_key = identifier.CopyToString() + return lookup_key, identifier + + return None, None diff --git a/plaso/multi_process/output_engine.py b/plaso/multi_process/output_engine.py index c914a5249c..a08e675953 100644 --- a/plaso/multi_process/output_engine.py +++ b/plaso/multi_process/output_engine.py @@ -226,6 +226,15 @@ def _ExportEvents( else: event_data_stream = None + event_values_identifier = event_data.GetEventValuesIdentifier() + if event_values_identifier: + # TODO: get container_type from event_data.data_type + container_type = None + event_values = storage_reader.GetAttributeContainerByIdentifier( + container_type, event_values_identifier) + else: + event_values = None + event_identifier = event.GetIdentifier() event_tag = storage_reader.GetEventTagByEventIdentifer(event_identifier) @@ -234,7 +243,7 @@ def _ExportEvents( if event_filter: filter_match = event_filter.Match( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) else: filter_match = None diff --git a/plaso/parsers/mediator.py b/plaso/parsers/mediator.py index 6b9ca5b087..779d676c3c 100644 --- a/plaso/parsers/mediator.py +++ b/plaso/parsers/mediator.py @@ -522,6 +522,25 @@ def ProduceEventDataStream(self, event_data_stream): self.last_activity_timestamp = time.time() + def ProduceEventDataFromAttributeContainer(self, data_type, event_values): + """Produces event data from an attribute container. + + Args: + data_type (str): event data type indicator. + event_values (acstore.AttributeContainer): event values attribute + container. + + Raises: + RuntimeError: when storage writer is not set. + """ + event_data = events.EventData(data_type=data_type) + + event_values_identifier = event_values.GetIdentifier() + event_data.SetEventValuesIdentifier(event_values_identifier) + + self._storage_writer.AddAttributeContainer(event_values) + self.ProduceEventData(event_data) + def ProduceEventSource(self, event_source): """Produces an event source. diff --git a/plaso/parsers/winlnk.py b/plaso/parsers/winlnk.py index fc69119c81..8cdebc9daa 100644 --- a/plaso/parsers/winlnk.py +++ b/plaso/parsers/winlnk.py @@ -5,9 +5,11 @@ import pylnk +from acstore.containers import interface as containers_interface +from acstore.containers import manager as containers_manager + from dfdatetime import filetime as dfdatetime_filetime -from plaso.containers import events from plaso.containers import windows_events from plaso.lib import definitions from plaso.lib import specification @@ -16,8 +18,9 @@ from plaso.parsers.shared import shell_items -class WinLnkLinkEventData(events.EventData): - """Windows Shortcut (LNK) link event data. +class WindowsShortcutAttributeContainer( + containers_interface.AttributeContainer): + """Windows Shortcut (LNK) attribute container. Attributes: access_time (dfdatetime.DateTimeValues): file entry last access date @@ -37,7 +40,7 @@ class WinLnkLinkEventData(events.EventData): identifier. droid_volume_identifier (str): distributed link tracking droid volume identifier. - env_var_location (str): environment variables location. + environment_variables_location (str): environment variables location. file_attribute_flags (int): file attribute flags of the linked item. file_size (int): size of the linked item. icon_location (str): icon location. @@ -51,11 +54,34 @@ class WinLnkLinkEventData(events.EventData): working_directory (str): working directory. """ - DATA_TYPE = 'windows:lnk:link' + CONTAINER_TYPE = 'windows_shortcut' + + SCHEMA = { + 'access_time': 'dfdatetime.DateTimeValues', + 'birth_droid_file_identifier': 'str', + 'birth_droid_volume_identifier': 'str', + 'command_line_arguments': 'str', + 'creation_time': 'dfdatetime.DateTimeValues', + 'description': 'str', + 'drive_serial_number': 'int', + 'drive_type': 'str', + 'droid_file_identifier': 'str', + 'droid_volume_identifier': 'str', + 'environment_variables_location': 'str', + 'file_attribute_flags': 'int', + 'file_size': 'int', + 'icon_location': 'str', + 'link_target': 'str', + 'local_path': 'str', + 'modification_time': 'dfdatetime.DateTimeValues', + 'network_path': 'str', + 'relative_path': 'str', + 'volume_label': 'str', + 'working_directory': 'str'} def __init__(self): - """Initializes event data.""" - super(WinLnkLinkEventData, self).__init__(data_type=self.DATA_TYPE) + """Initializes a Windows Shortcut (LNK) attribute container.""" + super(WindowsShortcutAttributeContainer, self).__init__() self.access_time = None self.birth_droid_file_identifier = None self.birth_droid_volume_identifier = None @@ -66,7 +92,7 @@ def __init__(self): self.drive_type = None self.droid_file_identifier = None self.droid_volume_identifier = None - self.env_var_location = None + self.environment_variables_location = None self.file_attribute_flags = None self.file_size = None self.icon_location = None @@ -79,6 +105,10 @@ def __init__(self): self.working_directory = None +containers_manager.AttributeContainersManager.RegisterAttributeContainer( + WindowsShortcutAttributeContainer) + + class WinLnkParser(interface.FileObjectParser): """Windows Shortcut (LNK) file parser.""" @@ -109,6 +139,52 @@ def _GetDateTime(self, filetime): return dfdatetime_filetime.Filetime(timestamp=filetime) + def _GetEventValues(self, lnk_file): + """Retrieves the event values attribute container. + + Args: + lnk_file (pylnk.file): Windows shortcut (LNK) file. + + Returns: + WindowsShortcutAttributeContainer: event values attribute container. + """ + access_time = lnk_file.get_file_access_time_as_integer() + creation_time = lnk_file.get_file_creation_time_as_integer() + modification_time = lnk_file.get_file_modification_time_as_integer() + + event_values = WindowsShortcutAttributeContainer() + event_values.access_time = self._GetDateTime(access_time) + event_values.birth_droid_file_identifier = ( + lnk_file.birth_droid_file_identifier) + event_values.birth_droid_volume_identifier = ( + lnk_file.birth_droid_volume_identifier) + event_values.command_line_arguments = self._GetSanitizedPathString( + lnk_file.command_line_arguments) + event_values.creation_time = self._GetDateTime(creation_time) + event_values.description = self._GetSanitizedPathString( + lnk_file.description) + event_values.drive_serial_number = lnk_file.drive_serial_number + event_values.drive_type = lnk_file.drive_type + event_values.droid_file_identifier = lnk_file.droid_file_identifier + event_values.droid_volume_identifier = lnk_file.droid_volume_identifier + event_values.environment_variables_location = self._GetSanitizedPathString( + lnk_file.environment_variables_location) + event_values.file_attribute_flags = lnk_file.file_attribute_flags + event_values.file_size = lnk_file.file_size + event_values.icon_location = self._GetSanitizedPathString( + lnk_file.icon_location) + event_values.local_path = self._GetSanitizedPathString(lnk_file.local_path) + event_values.modification_time = self._GetDateTime(modification_time) + event_values.network_path = self._GetSanitizedPathString( + lnk_file.network_path) + event_values.relative_path = self._GetSanitizedPathString( + lnk_file.relative_path) + event_values.volume_label = lnk_file.volume_label + event_values.working_directory = self._GetSanitizedPathString( + lnk_file.working_directory) + + return event_values + def _GetSanitizedPathString(self, path): """Retrieves a sanitize path string. @@ -198,43 +274,12 @@ def ParseFileLNKFile( link_target = shell_items_parser.CopyToPath() - access_time = lnk_file.get_file_access_time_as_integer() - creation_time = lnk_file.get_file_creation_time_as_integer() - modification_time = lnk_file.get_file_modification_time_as_integer() - - event_data = WinLnkLinkEventData() - event_data.access_time = self._GetDateTime(access_time) - event_data.birth_droid_file_identifier = ( - lnk_file.birth_droid_file_identifier) - event_data.birth_droid_volume_identifier = ( - lnk_file.birth_droid_volume_identifier) - event_data.command_line_arguments = self._GetSanitizedPathString( - lnk_file.command_line_arguments) - event_data.creation_time = self._GetDateTime(creation_time) - event_data.description = self._GetSanitizedPathString( - lnk_file.description) - event_data.drive_serial_number = lnk_file.drive_serial_number - event_data.drive_type = lnk_file.drive_type - event_data.droid_file_identifier = lnk_file.droid_file_identifier - event_data.droid_volume_identifier = lnk_file.droid_volume_identifier - event_data.env_var_location = self._GetSanitizedPathString( - lnk_file.environment_variables_location) - event_data.file_attribute_flags = lnk_file.file_attribute_flags - event_data.file_size = lnk_file.file_size - event_data.icon_location = self._GetSanitizedPathString( - lnk_file.icon_location) - event_data.link_target = link_target - event_data.local_path = self._GetSanitizedPathString(lnk_file.local_path) - event_data.modification_time = self._GetDateTime(modification_time) - event_data.network_path = self._GetSanitizedPathString( - lnk_file.network_path) - event_data.relative_path = self._GetSanitizedPathString( - lnk_file.relative_path) - event_data.volume_label = lnk_file.volume_label - event_data.working_directory = self._GetSanitizedPathString( - lnk_file.working_directory) + event_values = self._GetEventValues(lnk_file) + event_values.link_target = link_target - parser_mediator.ProduceEventData(event_data) + # TODO: lookup event_data.data_type based on container_type + parser_mediator.ProduceEventDataFromAttributeContainer( + 'windows:lnk:link', event_values) if lnk_file.droid_file_identifier: # pylint: disable=using-constant-test try: diff --git a/plaso/storage/sqlite/sqlite_file.py b/plaso/storage/sqlite/sqlite_file.py index b3b1f7d8cb..027ecaf203 100644 --- a/plaso/storage/sqlite/sqlite_file.py +++ b/plaso/storage/sqlite/sqlite_file.py @@ -21,11 +21,11 @@ class SQLiteStorageFile(sqlite_store.SQLiteAttributeContainerStore): compression_format (str): compression format. """ - _FORMAT_VERSION = 20230327 + _FORMAT_VERSION = 20240325 - _APPEND_COMPATIBLE_FORMAT_VERSION = 20230327 + _APPEND_COMPATIBLE_FORMAT_VERSION = 20240325 - _UPGRADE_COMPATIBLE_FORMAT_VERSION = 20230327 + _UPGRADE_COMPATIBLE_FORMAT_VERSION = 20240325 _READ_COMPATIBLE_FORMAT_VERSION = 20230327 @@ -91,7 +91,29 @@ def _CreateAttributeContainerFromRow( 'read_create', 'read', container_type, len(serialized_data), len(compressed_data)) - return self._DeserializeAttributeContainer(container_type, serialized_data) + container = self._DeserializeAttributeContainer( + container_type, serialized_data) + + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + serialized_identifier = row[first_column_index + 1] + if serialized_identifier: + event_data_stream_identifier = ( + containers_interface.AttributeContainerIdentifier()) + event_data_stream_identifier.CopyFromString(serialized_identifier) + container.SetEventDataStreamIdentifier(event_data_stream_identifier) + + setattr(container, '_event_values_hash', row[first_column_index + 2]) + + serialized_identifier = row[first_column_index + 3] + if serialized_identifier: + event_values_identifier = ( + containers_interface.AttributeContainerIdentifier()) + event_values_identifier.CopyFromString(serialized_identifier) + container.SetEventValuesIdentifier(event_values_identifier) + + container.data_type = row[first_column_index + 4] + + return container def _CreateAttributeContainerTable(self, container_type): """Creates a table for a specific attribute container type. @@ -115,9 +137,16 @@ def _CreateAttributeContainerTable(self, container_type): else: data_column_type = 'TEXT' - query = ( - f'CREATE TABLE {container_type:s} (_identifier INTEGER PRIMARY KEY ' - f'AUTOINCREMENT, _data {data_column_type:s});') + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + query = ( + f'CREATE TABLE {container_type:s} (_identifier INTEGER PRIMARY KEY ' + f'AUTOINCREMENT, _data {data_column_type:s}, ' + f'_event_data_stream_identifier TEXT, _event_values_hash TEXT, ' + f'_event_values_identifier TEXT, data_type TEXT);') + else: + query = ( + f'CREATE TABLE {container_type:s} (_identifier INTEGER PRIMARY KEY ' + f'AUTOINCREMENT, _data {data_column_type:s});') try: self._cursor.execute(query) @@ -168,15 +197,6 @@ def _DeserializeAttributeContainer(self, container_type, serialized_data): if self._serializers_profiler: self._serializers_profiler.StopTiming(container_type) - if container.CONTAINER_TYPE == self._CONTAINER_TYPE_EVENT_DATA: - serialized_identifier = getattr( - container, '_event_data_stream_identifier', None) - if serialized_identifier: - event_data_stream_identifier = ( - containers_interface.AttributeContainerIdentifier()) - event_data_stream_identifier.CopyFromString(serialized_identifier) - container.SetEventDataStreamIdentifier(event_data_stream_identifier) - return container def _ReadAndCheckStorageMetadata(self, check_readable_only=False): @@ -225,6 +245,11 @@ def _SerializeAttributeContainer(self, container): json_dict['_event_data_stream_identifier'] = ( event_data_stream_identifier.CopyToString()) + event_values_identifier = container.GetEventValuesIdentifier() + if event_values_identifier: + json_dict['_event_values_identifier'] = ( + event_values_identifier.CopyToString()) + try: serialized_string = json.dumps(json_dict) except TypeError as exception: @@ -337,38 +362,57 @@ def _WriteNewAttributeContainer(self, container): schema = self._GetAttributeContainerSchema(container.CONTAINER_TYPE) if schema: super(SQLiteStorageFile, self)._WriteNewAttributeContainer(container) - else: - next_sequence_number = self._GetAttributeContainerNextSequenceNumber( - container.CONTAINER_TYPE) + return - if (next_sequence_number == 1 and - not self._HasTable(container.CONTAINER_TYPE)): - self._CreateAttributeContainerTable(container.CONTAINER_TYPE) + next_sequence_number = self._GetAttributeContainerNextSequenceNumber( + container.CONTAINER_TYPE) - identifier = containers_interface.AttributeContainerIdentifier( - name=container.CONTAINER_TYPE, sequence_number=next_sequence_number) - container.SetIdentifier(identifier) + if (next_sequence_number == 1 and + not self._HasTable(container.CONTAINER_TYPE)): + self._CreateAttributeContainerTable(container.CONTAINER_TYPE) - serialized_data = self._SerializeAttributeContainer(container) + identifier = containers_interface.AttributeContainerIdentifier( + name=container.CONTAINER_TYPE, sequence_number=next_sequence_number) + container.SetIdentifier(identifier) - if self.compression_format == definitions.COMPRESSION_FORMAT_ZLIB: - compressed_data = zlib.compress(serialized_data) - serialized_data = sqlite3.Binary(compressed_data) - else: - compressed_data = '' + serialized_data = self._SerializeAttributeContainer(container) - if self._storage_profiler: - self._storage_profiler.Sample( - 'write_new', 'write', container.CONTAINER_TYPE, - len(serialized_data), len(compressed_data)) + if self.compression_format == definitions.COMPRESSION_FORMAT_ZLIB: + compressed_data = zlib.compress(serialized_data) + serialized_data = sqlite3.Binary(compressed_data) + else: + compressed_data = '' + + if self._storage_profiler: + self._storage_profiler.Sample( + 'write_new', 'write', container.CONTAINER_TYPE, + len(serialized_data), len(compressed_data)) + if container.CONTAINER_TYPE == self._CONTAINER_TYPE_EVENT_DATA: + event_data_stream_identifier = container.GetEventDataStreamIdentifier() + if event_data_stream_identifier: + event_data_stream_identifier = ( + event_data_stream_identifier.CopyToString()) + + event_values_hash = getattr(container, '_event_values_hash', None) + + event_values_identifier = container.GetEventValuesIdentifier() + if event_values_identifier: + event_values_identifier = event_values_identifier.CopyToString() + + column_names = ['_data', '_event_data_stream_identifier', + '_event_values_hash', '_event_values_identifier', + 'data_type'] + values = [serialized_data, event_data_stream_identifier, + event_values_hash, event_values_identifier, container.data_type] + else: column_names = ['_data'] values = [serialized_data] - self._CacheAttributeContainerForWrite( - container.CONTAINER_TYPE, column_names, values) + self._CacheAttributeContainerForWrite( + container.CONTAINER_TYPE, column_names, values) - self._CacheAttributeContainerByIndex(container, next_sequence_number - 1) + self._CacheAttributeContainerByIndex(container, next_sequence_number - 1) def GetAttributeContainerByIndex(self, container_type, index): """Retrieves a specific attribute container. @@ -409,7 +453,12 @@ def GetAttributeContainerByIndex(self, container_type, index): if not self._attribute_container_sequence_numbers[container_type]: return None - column_names = ['_data'] + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + column_names = ['_data', '_event_data_stream_identifier', + '_event_values_hash', '_event_values_identifier', + 'data_type'] + else: + column_names = ['_data'] row_number = index + 1 column_names = ', '.join(column_names) @@ -473,13 +522,20 @@ def GetAttributeContainers(self, container_type, filter_expression=None): yield container else: + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + column_names = ['_data', '_event_data_stream_identifier', + '_event_values_hash', '_event_values_identifier', + 'data_type'] + else: + column_names = ['_data'] + sql_filter_expression = None if filter_expression: expression_ast = ast.parse(filter_expression, mode='eval') sql_filter_expression = sqlite_store.PythonAST2SQL(expression_ast.body) yield from self._GetAttributeContainersWithFilter( - container_type, column_names=['_data'], + container_type, column_names=column_names, filter_expression=sql_filter_expression) def GetSortedEvents(self, time_range=None): diff --git a/test_data/end_to_end/dynamic.log b/test_data/end_to_end/dynamic.log index 429ed25208..a6cb24d466 100644 --- a/test_data/end_to_end/dynamic.log +++ b/test_data/end_to_end/dynamic.log @@ -1,21 +1,21 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:53:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:32+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-02-29T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-12-18T17:54:32+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,exit1 exit2 -2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-11-18T01:15:20+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-12-31T17:54:32+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767380870+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767380870+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:05.830382781+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:08.884385609+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- +2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:53:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:32+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-02-29T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-12-18T17:54:32+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,exit1 exit2 +2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-11-18T01:15:20+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-12-31T17:54:32+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785375326+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785375326+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:36.751357520+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:40.393324534+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/dynamic_event_filter.log b/test_data/end_to_end/dynamic_event_filter.log index 245ee5b31a..ace5b31c81 100644 --- a/test_data/end_to_end/dynamic_event_filter.log +++ b/test_data/end_to_end/dynamic_event_filter.log @@ -1,5 +1,5 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- +2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/dynamic_time_zone.log b/test_data/end_to_end/dynamic_time_zone.log index d2a7e057fd..ebaf7e1d75 100644 --- a/test_data/end_to_end/dynamic_time_zone.log +++ b/test_data/end_to_end/dynamic_time_zone.log @@ -1,21 +1,21 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:53:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:54:32+01:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-02-29T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-12-18T18:54:32+01:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,exit1 exit2 -2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-11-18T02:15:20+01:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-12-31T18:54:32+01:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-02-06T16:16:30+01:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T09:30:20+01:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T09:31:20+01:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:03.767380870+02:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:03.767380870+02:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:05.830382781+02:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:08.884385609+02:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- +2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:53:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:54:32+01:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-02-29T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-12-18T18:54:32+01:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,exit1 exit2 +2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-11-18T02:15:20+01:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-12-31T18:54:32+01:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-02-06T16:16:30+01:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T09:30:20+01:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T09:31:20+01:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:34.785375326+01:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:34.785375326+01:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:36.751357520+01:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:40.393324534+01:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/dynamic_without_dynamic_time.log b/test_data/end_to_end/dynamic_without_dynamic_time.log index 246b79da0d..4a545f7591 100644 --- a/test_data/end_to_end/dynamic_without_dynamic_time.log +++ b/test_data/end_to_end/dynamic_without_dynamic_time.log @@ -1,21 +1,21 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:53:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:32.000000+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-02-29T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-12-18T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,exit1 exit2 -2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-11-18T01:15:20.000000+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-12-31T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-02-06T15:16:30.000000+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T08:30:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T08:31:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767381+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767381+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:05.830383+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:08.884386+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- +2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:53:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:32.000000+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-02-29T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-12-18T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,exit1 exit2 +2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-11-18T01:15:20.000000+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-12-31T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-02-06T15:16:30.000000+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T08:30:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T08:31:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785376+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785376+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:36.751358+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:40.393325+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/json.log b/test_data/end_to_end/json.log index 48470dd610..103cca01e8 100644 --- a/test_data/end_to_end/json.log +++ b/test_data/end_to_end/json.log @@ -1,21 +1,21 @@ -{"event_0": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -, "event_1": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -, "event_2": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} -, "event_3": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -, "event_4": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -, "event_5": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} -, "event_6": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} -, "event_7": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} -, "event_8": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -, "event_9": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -, "event_10": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} -, "event_11": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} -, "event_12": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} -, "event_13": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} -, "event_14": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} -, "event_15": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} -, "event_16": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Content Modification Time"} -, "event_17": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Metadata Modification Time"} -, "event_18": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888825830382781}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888825830383, "timestamp_desc": "Last Access Time"} -, "event_19": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888828884385609}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888828884386, "timestamp_desc": "Last Access Time"} +{"event_0": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +, "event_1": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +, "event_2": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} +, "event_3": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +, "event_4": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +, "event_5": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} +, "event_6": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} +, "event_7": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} +, "event_8": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +, "event_9": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +, "event_10": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} +, "event_11": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} +, "event_12": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} +, "event_13": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} +, "event_14": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} +, "event_15": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} +, "event_16": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Content Modification Time"} +, "event_17": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Metadata Modification Time"} +, "event_18": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612476751357520}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612476751358, "timestamp_desc": "Last Access Time"} +, "event_19": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612480393324534}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612480393325, "timestamp_desc": "Last Access Time"} } \ No newline at end of file diff --git a/test_data/end_to_end/json_line.log b/test_data/end_to_end/json_line.log index eb7f658538..7d8fa58d3f 100644 --- a/test_data/end_to_end/json_line.log +++ b/test_data/end_to_end/json_line.log @@ -1,20 +1,20 @@ -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Metadata Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888825830382781}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888825830383, "timestamp_desc": "Last Access Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888828884385609}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888828884386, "timestamp_desc": "Last Access Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Metadata Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612476751357520}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612476751358, "timestamp_desc": "Last Access Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612480393324534}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612480393325, "timestamp_desc": "Last Access Time"} diff --git a/test_data/end_to_end/l2tcsv.log b/test_data/end_to_end/l2tcsv.log index 9f3997d622..d9cd2325cb 100644 --- a/test_data/end_to_end/l2tcsv.log +++ b/test_data/end_to_end/l2tcsv.log @@ -1,20 +1,20 @@ date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra -01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:53:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/29/2012,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/18/2012,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2013,01:15:20,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/31/2013,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/06/2014,15:16:30,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,08:30:20,UTC,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,08:31:20,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,03:47:03,UTC,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,03:47:05,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,03:47:08,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:53:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/29/2012,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/18/2012,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2013,01:15:20,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/31/2013,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/06/2014,15:16:30,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,08:30:20,UTC,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,08:31:20,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,07:54:34,UTC,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,07:54:36,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,07:54:40,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 diff --git a/test_data/end_to_end/l2tcsv_time_zone.log b/test_data/end_to_end/l2tcsv_time_zone.log index fcd0657766..9a5b2db7ec 100644 --- a/test_data/end_to_end/l2tcsv_time_zone.log +++ b/test_data/end_to_end/l2tcsv_time_zone.log @@ -1,20 +1,20 @@ date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra -01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:53:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/29/2012,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/18/2012,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2013,02:15:20,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/31/2013,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/06/2014,16:16:30,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,09:30:20,CET,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,09:31:20,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,05:47:03,CEST,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,05:47:05,CEST,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,05:47:08,CEST,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:53:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/29/2012,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/18/2012,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2013,02:15:20,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/31/2013,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/06/2014,16:16:30,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,09:30:20,CET,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,09:31:20,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,08:54:34,CET,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,08:54:36,CET,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,08:54:40,CET,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 diff --git a/test_data/end_to_end/l2ttln.log b/test_data/end_to_end/l2ttln.log index 06ac6cd0bd..04c73a792a 100644 --- a/test_data/end_to_end/l2ttln.log +++ b/test_data/end_to_end/l2ttln.log @@ -1,21 +1,21 @@ Time|Source|Host|User|Description|TZ|Notes -1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No change in [/etc/netgroup]. Done|UTC|File: OS:/tmp/test/test_data/syslog -1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No new content in ímynd.dd.|UTC|File: OS:/tmp/test/test_data/syslog -1327218781|LOG|myhostname.myhost.com|root|2012-01-22T07:53:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051|UTC|File: OS:/tmp/test/test_data/syslog -1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: /sbin/status.mycheck) for user: root pid: 31067|UTC|File: OS:/tmp/test/test_data/syslog -1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068|UTC|File: OS:/tmp/test/test_data/syslog -1327218872|LOG|myhostname.myhost.com|-|2012-01-22T07:54:32+00:00; Content Modification Time; [Job] `cron.daily' terminated|UTC|File: OS:/tmp/test/test_data/syslog -1330478143|LOG|:|-|2012-02-29T01:15:43+00:00; Content Modification Time; [---] testing leap year in parsing, events take place in 2012 ---|UTC|File: OS:/tmp/test/test_data/syslog -1355853272|LOG|myhostname.myhost.com|-|2012-12-18T17:54:32+00:00; Content Modification Time; [anacron, pid: 1234] No true exit can exist (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog -1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)|UTC|File: OS:/tmp/test/test_data/syslog -1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 19] This syslog message has a fractional value for seconds.|UTC|File: OS:/tmp/test/test_data/syslog -1384737320|LOG|myhostname.myhost.com|-|2013-11-18T01:15:20+00:00; Content Modification Time; [aprocess, pid: 10100] This is a multi-line message that screws up many syslog parsers.|UTC|File: OS:/tmp/test/test_data/syslog -1388512472|LOG|myhostname.myhost.com|-|2013-12-31T17:54:32+00:00; Content Modification Time; [/sbin/anacron, pid: 1234] Another one just like this (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog -1391699790|LOG|victoria|-|2014-02-06T15:16:30+00:00; Content Modification Time; [process, pid: 2085] Test message with single character day|UTC|File: OS:/tmp/test/test_data/syslog -1416273343|LOG|:|-|2014-11-18T01:15:43+00:00; Content Modification Time; [---] last message repeated 5 times ---|UTC|File: OS:/tmp/test/test_data/syslog -1416299420|LOG|-|-|2014-11-18T08:30:20+00:00; Content Modification Time; [kernel] [997.390602] sda2: rw=0, want=65, limit=2|UTC|File: OS:/tmp/test/test_data/syslog -1416299480|LOG|victoria|-|2014-11-18T08:31:20+00:00; Content Modification Time; [kernel] [998.390602] sda2: rw=0, want=66, limit=2|UTC|File: OS:/tmp/test/test_data/syslog -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 -1679888825|FILE|-|-|2023-03-27T03:47:05.830382781+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 -1679888828|FILE|-|-|2023-03-27T03:47:08.884385609+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 +1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No change in [/etc/netgroup]. Done|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No new content in ímynd.dd.|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218781|LOG|myhostname.myhost.com|root|2012-01-22T07:53:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: /sbin/status.mycheck) for user: root pid: 31067|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218872|LOG|myhostname.myhost.com|-|2012-01-22T07:54:32+00:00; Content Modification Time; [Job] `cron.daily' terminated|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1330478143|LOG|:|-|2012-02-29T01:15:43+00:00; Content Modification Time; [---] testing leap year in parsing, events take place in 2012 ---|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1355853272|LOG|myhostname.myhost.com|-|2012-12-18T17:54:32+00:00; Content Modification Time; [anacron, pid: 1234] No true exit can exist (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 19] This syslog message has a fractional value for seconds.|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1384737320|LOG|myhostname.myhost.com|-|2013-11-18T01:15:20+00:00; Content Modification Time; [aprocess, pid: 10100] This is a multi-line message that screws up many syslog parsers.|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1388512472|LOG|myhostname.myhost.com|-|2013-12-31T17:54:32+00:00; Content Modification Time; [/sbin/anacron, pid: 1234] Another one just like this (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1391699790|LOG|victoria|-|2014-02-06T15:16:30+00:00; Content Modification Time; [process, pid: 2085] Test message with single character day|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1416273343|LOG|:|-|2014-11-18T01:15:43+00:00; Content Modification Time; [---] last message repeated 5 times ---|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1416299420|LOG|-|-|2014-11-18T08:30:20+00:00; Content Modification Time; [kernel] [997.390602] sda2: rw=0, want=65, limit=2|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1416299480|LOG|victoria|-|2014-11-18T08:31:20+00:00; Content Modification Time; [kernel] [998.390602] sda2: rw=0, want=66, limit=2|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 +1711612476|FILE|-|-|2024-03-28T07:54:36.751357520+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 +1711612480|FILE|-|-|2024-03-28T07:54:40.393324534+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 diff --git a/test_data/end_to_end/rawpy.log b/test_data/end_to_end/rawpy.log index 34c10c51bb..e94ac7e7b4 100644 --- a/test_data/end_to_end/rawpy.log +++ b/test_data/end_to_end/rawpy.log @@ -3,13 +3,13 @@ 2012-01-22T07:52:33.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} INFO No change in [/etc/netgroup]. Done {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -24,13 +24,13 @@ 2012-01-22T07:52:33.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} INFO No new content in ímynd.dd. {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -45,13 +45,13 @@ 2012-01-22T07:53:01.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} (root) CMD (touch /var/run/crond.somecheck) {data_type} syslog:cron:task_run - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -68,13 +68,13 @@ 2012-01-22T07:54:01.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} (root) CMD (touch /var/run/crond.somecheck) {data_type} syslog:cron:task_run - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -91,13 +91,13 @@ 2012-01-22T07:54:01.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} (root) CMD (/sbin/status.mycheck)) {data_type} syslog:cron:task_run - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -114,13 +114,13 @@ 2012-01-22T07:54:32.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} `cron.daily' terminated {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -134,13 +134,13 @@ 2012-02-29T01:15:43.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} testing leap year in parsing, events take place in 2012 --- {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} : {inode} - {parser} text/syslog_traditional @@ -154,13 +154,13 @@ 2012-12-18T17:54:32.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} No true exit can exist (124 job run) {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -178,19 +178,19 @@ 2013-03-23T23:01:18.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: - {body} This syslog message has a fractional value for seconds. + {body} This syslog message is brought to you by me (and not the other guy) {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional [Additional attributes]: - {pid} 19 + {pid} 1915 {reporter} somrandomexe {sha256_hash} 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 @@ -199,19 +199,19 @@ 2013-03-23T23:01:18.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: - {body} This syslog message is brought to you by me (and not the other guy) + {body} This syslog message has a fractional value for seconds. {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional [Additional attributes]: - {pid} 1915 + {pid} 19 {reporter} somrandomexe {sha256_hash} 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 @@ -220,14 +220,14 @@ 2013-11-18T01:15:20.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} This is a multi-line message that screws up many syslog parsers. {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -242,13 +242,13 @@ 2013-12-31T17:54:32.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} Another one just like this (124 job run) {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -263,13 +263,13 @@ 2014-02-06T15:16:30.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} Test message with single character day {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} victoria {inode} - {parser} text/syslog_traditional @@ -284,13 +284,13 @@ 2014-11-18T01:15:43.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} last message repeated 5 times --- {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} : {inode} - {parser} text/syslog_traditional @@ -307,13 +307,13 @@ 2014-11-18T08:30:20.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} [997.390602] sda2: rw=0, want=65, limit=2 {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {inode} - {parser} text/syslog_traditional @@ -326,13 +326,13 @@ 2014-11-18T08:31:20.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} [998.390602] sda2: rw=0, want=66, limit=2 {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} victoria {inode} - {parser} text/syslog_traditional @@ -343,16 +343,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:03.767381+00:00 + 2024-03-28T07:54:34.785375+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: @@ -369,16 +369,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:03.767381+00:00 + 2024-03-28T07:54:34.785375+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: @@ -395,16 +395,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:05.830383+00:00 + 2024-03-28T07:54:36.751358+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: @@ -421,16 +421,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:08.884386+00:00 + 2024-03-28T07:54:40.393325+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: diff --git a/test_data/end_to_end/tln.log b/test_data/end_to_end/tln.log index 0b45cfce80..7c8dec2488 100644 --- a/test_data/end_to_end/tln.log +++ b/test_data/end_to_end/tln.log @@ -15,7 +15,7 @@ Time|Source|Host|User|Description 1416273343|LOG|:|-|2014-11-18T01:15:43+00:00; Content Modification Time; [---] last message repeated 5 times --- 1416299420|LOG|-|-|2014-11-18T08:30:20+00:00; Content Modification Time; [kernel] [997.390602] sda2: rw=0, want=65, limit=2 1416299480|LOG|victoria|-|2014-11-18T08:31:20+00:00; Content Modification Time; [kernel] [998.390602] sda2: rw=0, want=66, limit=2 -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 -1679888825|FILE|-|-|2023-03-27T03:47:05.830382781+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 -1679888828|FILE|-|-|2023-03-27T03:47:08.884385609+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612476|FILE|-|-|2024-03-28T07:54:36.751357520+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612480|FILE|-|-|2024-03-28T07:54:40.393324534+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 diff --git a/test_data/pinfo_test.plaso b/test_data/pinfo_test.plaso index 78053c291a..964c8010ec 100644 Binary files a/test_data/pinfo_test.plaso and b/test_data/pinfo_test.plaso differ diff --git a/test_data/psort_test.plaso b/test_data/psort_test.plaso index bb794abfc2..6a2fb3b021 100644 Binary files a/test_data/psort_test.plaso and b/test_data/psort_test.plaso differ diff --git a/test_data/NeroInfoTool.lnk b/test_data/winlnk/NeroInfoTool.lnk similarity index 100% rename from test_data/NeroInfoTool.lnk rename to test_data/winlnk/NeroInfoTool.lnk diff --git a/test_data/example.lnk b/test_data/winlnk/example.lnk similarity index 100% rename from test_data/example.lnk rename to test_data/winlnk/example.lnk diff --git a/test_data/unpaired_surrogate.lnk b/test_data/winlnk/unpaired_surrogate.lnk similarity index 100% rename from test_data/unpaired_surrogate.lnk rename to test_data/winlnk/unpaired_surrogate.lnk diff --git a/tests/analysis/test_lib.py b/tests/analysis/test_lib.py index f72ca24a02..8e66a23944 100644 --- a/tests/analysis/test_lib.py +++ b/tests/analysis/test_lib.py @@ -51,7 +51,8 @@ def _AnalyzeEvents( mediator.SetStorageWriter(storage_writer) for event, event_data, event_data_stream in test_events: - plugin.ExamineEvent(mediator, event, event_data, event_data_stream) + # TODO: add support for event_values. + plugin.ExamineEvent(mediator, event, event_data, event_data_stream, None) analysis_report = plugin.CompileReport(mediator) storage_writer.AddAttributeContainer(analysis_report) @@ -92,7 +93,8 @@ def _ParseAndAnalyzeFile(self, path_segments, parser, plugin): events.EventDataStream.CONTAINER_TYPE, event_data_stream_identifier) - plugin.ExamineEvent(mediator, event, event_data, event_data_stream) + # TODO: add support for event_values. + plugin.ExamineEvent(mediator, event, event_data, event_data_stream, None) analysis_report = plugin.CompileReport(mediator) storage_writer.AddAttributeContainer(analysis_report) diff --git a/tests/cli/pinfo_tool.py b/tests/cli/pinfo_tool.py index 2ef2f09a1b..eb18fc1fd9 100644 --- a/tests/cli/pinfo_tool.py +++ b/tests/cli/pinfo_tool.py @@ -150,10 +150,10 @@ def testGenerateFileHashesReportAsJSON(self): '{"file_hashes": [', (' {"sha256_hash": ' '"1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", ' - '"display_name": "OS:/tmp/test/test_data/syslog"},'), + '"display_name": "OS:/tmp/test/test_data/syslog/syslog"},'), (' {"sha256_hash": ' '"1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", ' - '"display_name": "OS:/tmp/test/test_data/syslog"}'), + '"display_name": "OS:/tmp/test/test_data/syslog/syslog"}'), ']}', ''] @@ -183,9 +183,9 @@ def testGenerateFileHashesReportAsMarkdown(self): 'SHA256 hash | Display name', '--- | ---', ('1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 | ' - 'OS:/tmp/test/test_data/syslog'), + 'OS:/tmp/test/test_data/syslog/syslog'), ('1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 | ' - 'OS:/tmp/test/test_data/syslog'), + 'OS:/tmp/test/test_data/syslog/syslog'), ''] output = output_writer.ReadOutput() @@ -213,9 +213,9 @@ def testGenerateFileHashesReportAsText(self): expected_output = [ 'SHA256 hash\tDisplay name', ('1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4\t' - 'OS:/tmp/test/test_data/syslog'), + 'OS:/tmp/test/test_data/syslog/syslog'), ('1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4\t' - 'OS:/tmp/test/test_data/syslog'), + 'OS:/tmp/test/test_data/syslog/syslog'), ''] output = output_writer.ReadOutput() @@ -552,8 +552,8 @@ def testParseOptions(self): def testPrintStorageInformationAsJSON(self): """Tests the PrintStorageInformation function with JSON output format.""" test_filename = 'pinfo_test.plaso' - session_identifier = '0db86b5f-9176-4863-bf1e-9ac7ca632377' - session_start_time = '2023-03-27 03:47:24.091665' + session_identifier = '34895a64-9ddf-4e7d-be73-a9380cf2e930' + session_start_time = '2024-03-28 07:54:56.198184' test_file_path = self._GetTestFilePath([test_filename]) self._SkipIfPathNotExists(test_file_path) @@ -595,14 +595,14 @@ def testPrintStorageInformationAsJSON(self): def testPrintStorageInformationAsText(self): """Tests the PrintStorageInformation function with text output format.""" test_filename = 'pinfo_test.plaso' - format_version = '20230327' - plaso_version = '20230311' - session_identifier = '0db86b5f-9176-4863-bf1e-9ac7ca632377' - session_start_time = '2023-03-27T03:47:24.091665+00:00' - session_completion_time = '2023-03-27T03:47:32.596408+00:00' + format_version = '20240325' + plaso_version = '20240317' + session_identifier = '34895a64-9ddf-4e7d-be73-a9380cf2e930' + session_start_time = '2024-03-28T07:54:56.198184+00:00' + session_completion_time = '2024-03-28T07:55:04.476594+00:00' command_line_arguments = ( - './tools/log2timeline.py --partition=all --quiet ' + './plaso/scripts/log2timeline.py --partition=all --quiet ' '--storage-file pinfo_test.plaso test_data/tsk_volume_system.raw') enabled_parser_names = ', '.join([ @@ -653,6 +653,7 @@ def testPrintStorageInformationAsText(self): 'olecf/olecf_default', 'olecf/olecf_document_summary', 'olecf/olecf_summary', + 'onedrive_log', 'opera_global', 'opera_typed_history', 'pe', @@ -660,11 +661,16 @@ def testPrintStorageInformationAsText(self): 'plist/airport', 'plist/apple_id', 'plist/ios_carplay', + 'plist/ios_identityservices', 'plist/ipod_device', 'plist/launchd_plist', + 'plist/macos_background_items_plist', 'plist/macos_bluetooth', + 'plist/macos_install_history', + 'plist/macos_login_items_plist', + 'plist/macos_login_window_plist', 'plist/macos_software_update', - 'plist/macosx_install_history', + 'plist/macos_startup_item_plist', 'plist/macuser', 'plist/plist_default', 'plist/safari_downloads', @@ -677,6 +683,7 @@ def testPrintStorageInformationAsText(self): 'recycle_bin', 'recycle_bin_info2', 'rplog', + 'simatic_s7', 'spotlight_storedb', 'sqlite', 'sqlite/android_calls', @@ -691,12 +698,16 @@ def testPrintStorageInformationAsText(self): 'sqlite/chrome_autofill', 'sqlite/chrome_extension_activity', 'sqlite/dropbox', - 'sqlite/firefox_cookies', + 'sqlite/edge_load_statistics', + 'sqlite/firefox_10_cookies', + 'sqlite/firefox_118_downloads', + 'sqlite/firefox_2_cookies', 'sqlite/firefox_downloads', 'sqlite/firefox_history', 'sqlite/google_drive', 'sqlite/hangouts_messages', 'sqlite/imessage', + 'sqlite/ios_datausage', 'sqlite/ios_netusage', 'sqlite/ios_powerlog', 'sqlite/ios_screentime', @@ -716,6 +727,7 @@ def testPrintStorageInformationAsText(self): 'sqlite/twitter_android', 'sqlite/twitter_ios', 'sqlite/windows_eventtranscript', + 'sqlite/windows_push_notification', 'sqlite/windows_timeline', 'sqlite/zeitgeist', 'symantec_scanlog', @@ -736,8 +748,10 @@ def testPrintStorageInformationAsText(self): 'text/mac_appfirewall_log', 'text/mac_securityd', 'text/mac_wifi', + 'text/macos_launchd_log', 'text/popularity_contest', 'text/postgresql', + 'text/powershell_transcript', 'text/santa', 'text/sccm', 'text/selinux', @@ -757,9 +771,11 @@ def testPrintStorageInformationAsText(self): 'text/zsh_extended_history', 'trendmicro_url', 'trendmicro_vd', + 'unified_logging', 'usnjrnl', 'utmp', 'utmpx', + 'wincc_sys', 'windefender_history', 'winevt', 'winevtx', diff --git a/tests/cli/psort_tool.py b/tests/cli/psort_tool.py index 3d21a3805b..55d7881e22 100644 --- a/tests/cli/psort_tool.py +++ b/tests/cli/psort_tool.py @@ -280,7 +280,7 @@ def testProcessStorageWithMissingParameters(self): expected_line = ( '2013-12-31T17:54:32+00:00,Content Modification Time,LOG,Log File,' '[/sbin/anacron pid: 1234] Another one just like this (124 job run),' - 'text/syslog_traditional,OS:/tmp/test/test_data/syslog,-') + 'text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,-') self.assertIn(expected_line, lines) output_manager.OutputManager.DeregisterOutput( diff --git a/tests/containers/events.py b/tests/containers/events.py index 1ad30a3138..bc7a43e0ae 100644 --- a/tests/containers/events.py +++ b/tests/containers/events.py @@ -72,6 +72,7 @@ def testGetAttributeNames(self): expected_attribute_names = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'data_type'] diff --git a/tests/containers/plist_event.py b/tests/containers/plist_event.py index 5333a10d58..f20a8c1183 100644 --- a/tests/containers/plist_event.py +++ b/tests/containers/plist_event.py @@ -19,6 +19,7 @@ def testGetAttributeNames(self): expected_attribute_names = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'data_type', 'key', diff --git a/tests/containers/windows_events.py b/tests/containers/windows_events.py index b2c71f4309..598db68a01 100644 --- a/tests/containers/windows_events.py +++ b/tests/containers/windows_events.py @@ -22,6 +22,7 @@ def testGetAttributeNames(self): expected_attribute_names = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'creation_time', 'data_type', @@ -44,6 +45,7 @@ def testGetAttributeNames(self): expected_attribute_names = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'access_time', 'creation_time', @@ -71,6 +73,7 @@ def testGetAttributeNames(self): expected_attribute_names = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'creation_time', 'data_type', diff --git a/tests/data/tag_linux.py b/tests/data/tag_linux.py index ac404c8c49..4ea808c951 100644 --- a/tests/data/tag_linux.py +++ b/tests/data/tag_linux.py @@ -302,27 +302,27 @@ def testRuleLogout(self): event_data.terminal = 'tty1' event_data.pid = 1 - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event_data.type = 8 event_data.terminal = '' - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event_data.terminal = 'tty1' event_data.pid = 0 - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event_data.pid = 1 - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['logout']) diff --git a/tests/data/tag_macos.py b/tests/data/tag_macos.py index 58fc90f3f8..7e0997c468 100644 --- a/tests/data/tag_macos.py +++ b/tests/data/tag_macos.py @@ -66,14 +66,14 @@ def testRuleAutorun(self): event_data = filestat.FileStatEventData() event_data.filename = '/LaunchDaemons/test.plist' - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event_data = filestat.FileStatEventData() event_data.filename = '/LaunchAgents/test.plist' - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['autorun']) @@ -98,13 +98,13 @@ def testRuleFileDownload(self): event_data = filestat.FileStatEventData() - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp_desc = 'Downloaded Time' - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['file_download']) @@ -134,13 +134,13 @@ def testRuleDocumentPrint(self): event_data = summary.OLECFSummaryInformationEventData() - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp_desc = definitions.TIME_DESCRIPTION_LAST_PRINTED - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['document_print']) diff --git a/tests/data/tag_windows.py b/tests/data/tag_windows.py index 6ae8973e57..0627b25030 100644 --- a/tests/data/tag_windows.py +++ b/tests/data/tag_windows.py @@ -9,7 +9,6 @@ from plaso.parsers import filestat from plaso.parsers import winevt from plaso.parsers import winevtx -from plaso.parsers import winlnk from plaso.parsers import winjob from plaso.parsers import winprefetch from plaso.parsers.bencode_plugins import utorrent @@ -80,22 +79,22 @@ def testApplicationExecution(self): attribute_values_per_name = { 'filename': ['Recent'], 'local_path': ['file.exe']} - self._CheckTaggingRule( - winlnk.WinLnkLinkEventData, attribute_values_per_name, + self._CheckTaggingRuleFromAttributeContainer( + 'windows:lnk:link', 'windows_shortcut', attribute_values_per_name, ['application_execution']) attribute_values_per_name = { 'filename': ['Recent'], 'network_path': ['file.exe']} - self._CheckTaggingRule( - winlnk.WinLnkLinkEventData, attribute_values_per_name, + self._CheckTaggingRuleFromAttributeContainer( + 'windows:lnk:link', 'windows_shortcut', attribute_values_per_name, ['application_execution']) attribute_values_per_name = { 'filename': ['Recent'], 'relative_path': ['file.exe']} - self._CheckTaggingRule( - winlnk.WinLnkLinkEventData, attribute_values_per_name, + self._CheckTaggingRuleFromAttributeContainer( + 'windows:lnk:link', 'windows_shortcut', attribute_values_per_name, ['application_execution']) # Test: data_type is 'windows:prefetch:execution' @@ -122,14 +121,14 @@ def testApplicationExecution(self): # Set timestamp to 0 otherwise document_open rule triggers. event.timestamp = 0 - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP event_data.entries = 'Index: 0 [MRU Value a]: file.exe' - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['application_execution']) @@ -141,14 +140,14 @@ def testApplicationExecution(self): # Set timestamp to 0 otherwise document_open rule triggers. event.timestamp = 0 - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP event_data.entries = 'Index: 0 [MRU Value 1]: file.exe' - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['application_execution']) @@ -220,13 +219,13 @@ def testDocumentOpen(self): event.timestamp = 0 - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['document_open']) @@ -241,13 +240,13 @@ def testDocumentOpen(self): event.timestamp = 0 - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['document_open']) @@ -589,13 +588,13 @@ def testFileDownload(self): event_data = utorrent.UTorrentEventData() - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp_desc = 'Downloaded Time' - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['file_download']) @@ -609,13 +608,13 @@ def testDocumentPrint(self): event_data = summary.OLECFSummaryInformationEventData() - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, []) event.timestamp_desc = definitions.TIME_DESCRIPTION_LAST_PRINTED - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, ['document_print']) diff --git a/tests/data/test_lib.py b/tests/data/test_lib.py index 0986313032..8f4b8dcc0e 100644 --- a/tests/data/test_lib.py +++ b/tests/data/test_lib.py @@ -1,6 +1,8 @@ # -*- coding: utf-8 -*- """Data files related functions and classes for testing.""" +from acstore.containers import manager as containers_manager + from plaso.analysis import mediator as analysis_mediator from plaso.analysis import tagging from plaso.containers import events @@ -13,6 +15,8 @@ class TaggingFileTestCase(shared_test_lib.BaseTestCase): """The unit test case for a tagging file.""" + _CONTAINERS_MANAGER = containers_manager.AttributeContainersManager + _TAG_FILE = None _TEST_TIMESTAMP = shared_test_lib.CopyTimestampFromString( @@ -53,7 +57,7 @@ def _CheckTaggingRule( if not attribute_values_per_name: event_data = event_data_class() - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, expected_rule_names) @@ -74,7 +78,7 @@ def _CheckTaggingRule( attribute_value = attribute_values[attribute_value_index] setattr(event_data, attribute_name, attribute_value) - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) self._CheckLabels(storage_writer, expected_rule_names) @@ -92,17 +96,85 @@ def _CheckTaggingRule( attribute_value = attribute_values[0] setattr(event_data, attribute_name, attribute_value) - storage_writer = self._TagEvent(event, event_data, None) + storage_writer = self._TagEvent(event, event_data, None, None) + + self._CheckLabels(storage_writer, []) + + def _CheckTaggingRuleFromAttributeContainer( + self, data_type, container_type, attribute_values_per_name, + expected_rule_names): + """Tests a tagging rule from an event values attribute container. + + Args: + data_type (str): event data type. + container_type (str): event values attribute container type. + attribute_values_per_name (dict[str, list[str]): values of the event data + attribute values per name, to use for testing events that match the + tagging rule. + expected_rule_names (list[str]): expected rule names. + """ + event_values = self._CONTAINERS_MANAGER.CreateAttributeContainer( + container_type) + event_values_identifier = event_values.GetIdentifier() + + # TODO: lookup data_type based on container_type + + event_data = events.EventData(data_type=data_type) + event_data.SetEventValuesIdentifier(event_values_identifier) + + event = events.EventObject() + event.timestamp = self._TEST_TIMESTAMP + event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN + + if not attribute_values_per_name: + storage_writer = self._TagEvent(event, event_data, None, event_values) + + self._CheckLabels(storage_writer, expected_rule_names) + + else: + maximum_number_of_attribute_values = max( + len(attribute_values) + for attribute_values in attribute_values_per_name.values()) + + # Test if variations defined by the attribute_values_per_name match the + # tagging rule. + for test_index in range(maximum_number_of_attribute_values): + # Create the test event data and set the attributes to one of the test + # values. + for attribute_name, attribute_values in ( + attribute_values_per_name.items()): + attribute_value_index = min(test_index, len(attribute_values) - 1) + attribute_value = attribute_values[attribute_value_index] + setattr(event_values, attribute_name, attribute_value) + + storage_writer = self._TagEvent(event, event_data, None, event_values) + + self._CheckLabels(storage_writer, expected_rule_names) + + # Test if bogus variations on attribute_values_per_name do not match the + # tagging rule. + for test_attribute_name in attribute_values_per_name.keys(): + # Test event data and set the attributes to one of the test values. + for attribute_name, attribute_values in ( + attribute_values_per_name.items()): + if attribute_name == test_attribute_name: + attribute_value = 'BOGUS' + else: + attribute_value = attribute_values[0] + setattr(event_values, attribute_name, attribute_value) + + storage_writer = self._TagEvent(event, event_data, None, event_values) self._CheckLabels(storage_writer, []) - def _TagEvent(self, event, event_data, event_data_stream): + def _TagEvent(self, event, event_data, event_data_stream, event_values): """Tags an event. Args: event (Event): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. Returns: FakeStorageWriter: storage writer. @@ -121,6 +193,11 @@ def _TagEvent(self, event, event_data, event_data_stream): event_data_stream_identifier = event_data_stream.GetIdentifier() event_data.SetEventDataStreamIdentifier(event_data_stream_identifier) + if event_values: + storage_writer.AddAttributeContainer(event_values) + event_values_identifier = event_values.GetIdentifier() + event_data.SetEventValuesIdentifier(event_values_identifier) + storage_writer.AddAttributeContainer(event_data) event_data_identifier = event_data.GetIdentifier() event.SetEventDataIdentifier(event_data_identifier) @@ -132,7 +209,8 @@ def _TagEvent(self, event, event_data, event_data_stream): plugin = tagging.TaggingAnalysisPlugin() plugin.SetAndLoadTagFile(tag_file_path) - plugin.ExamineEvent(mediator, event, event_data, event_data_stream) + plugin.ExamineEvent( + mediator, event, event_data, event_data_stream, event_values) analysis_report = plugin.CompileReport(mediator) storage_writer.AddAttributeContainer(analysis_report) diff --git a/tests/filters/event_filter.py b/tests/filters/event_filter.py index e78d96d397..b15a2bde47 100644 --- a/tests/filters/event_filter.py +++ b/tests/filters/event_filter.py @@ -51,7 +51,7 @@ def testMatch(self): event = events.EventObject() event.timestamp = 1608735600000000 - result = test_filter.Match(event, None, None, None) + result = test_filter.Match(event, None, None, None, None) self.assertTrue(result) test_filter = event_filter.EventObjectFilter() @@ -60,12 +60,12 @@ def testMatch(self): event_data = events.EventData() event_data.filename = '/usr/local/etc/issue' - result = test_filter.Match(None, event_data, None, None) + result = test_filter.Match(None, event_data, None, None, None) self.assertTrue(result) event_data.filename = '/etc/issue.net' - result = test_filter.Match(None, event_data, None, None) + result = test_filter.Match(None, event_data, None, None, None) self.assertFalse(result) diff --git a/tests/filters/expression_parser.py b/tests/filters/expression_parser.py index b6d0544d13..5bcc078937 100644 --- a/tests/filters/expression_parser.py +++ b/tests/filters/expression_parser.py @@ -72,8 +72,8 @@ class EventFilterExpressionParserTest(shared_test_lib.BaseTestCase): 'timestamp_desc': 'Last Written'}] def _CheckIfExpressionMatches( - self, expression, event, event_data, event_data_stream, event_tag, - expected_result): + self, expression, event, event_data, event_data_stream, event_values, + event_tag, expected_result): """Checks if the event filter expression matches the event values. Args: @@ -81,6 +81,7 @@ def _CheckIfExpressionMatches( event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag. expected_result (bool): expected result. """ @@ -89,7 +90,7 @@ def _CheckIfExpressionMatches( event_filter = expression.Compile() result = event_filter.Matches( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) self.assertEqual(expected_result, result) # TODO: add tests for _AddArgument @@ -391,30 +392,34 @@ def testParseWithEvents(self): event_tag = events.EventTag() event_tag.AddLabel('browser_search') + # TODO: add support for event_values. self._CheckIfExpressionMatches( - 'filename contains \'GoodFella\'', event, event_data, None, event_tag, - True) + 'filename contains \'GoodFella\'', event, event_data, None, None, + event_tag, True) # Test timestamp filtering. self._CheckIfExpressionMatches( - 'timestamp >= \'2015-11-18\'', event, event_data, None, event_tag, True) + 'timestamp >= \'2015-11-18\'', event, event_data, None, None, + event_tag, True) self._CheckIfExpressionMatches( - 'timestamp < \'2015-11-19\'', event, event_data, None, event_tag, True) + 'timestamp < \'2015-11-19\'', event, event_data, None, None, + event_tag, True) expression = ( 'timestamp < \'2015-11-18T01:15:44.341\' and ' 'timestamp > \'2015-11-18 01:15:42\'') self._CheckIfExpressionMatches( - expression, event, event_data, None, event_tag, True) + expression, event, event_data, None, None, event_tag, True) self._CheckIfExpressionMatches( - 'timestamp > \'2015-11-19\'', event, event_data, None, event_tag, False) + 'timestamp > \'2015-11-19\'', event, event_data, None, None, + event_tag, False) # Perform few attribute tests. self._CheckIfExpressionMatches( - 'filename not contains \'sometext\'', event, event_data, None, + 'filename not contains \'sometext\'', event, event_data, None, None, event_tag, True) expression = ( @@ -422,16 +427,16 @@ def testParseWithEvents(self): 'AND timestamp < \'2015-11-25 12:56:21\'') self._CheckIfExpressionMatches( - expression, event, event_data, None, event_tag, True) + expression, event, event_data, None, None, event_tag, True) self._CheckIfExpressionMatches( - 'tag contains \'browser_search\'', event, event_data, None, event_tag, - True) + 'tag contains \'browser_search\'', event, event_data, None, None, + event_tag, True) # Test multiple attributes. self._CheckIfExpressionMatches( 'text iregexp \'bad, bad thing [a-zA-Z\\\\s.]+ evil\'', event, - event_data, None, event_tag, True) + event_data, None, None, event_tag, True) if __name__ == "__main__": diff --git a/tests/filters/filters.py b/tests/filters/filters.py index 22ad1d337c..c77c0ff401 100644 --- a/tests/filters/filters.py +++ b/tests/filters/filters.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 + # -*- coding: utf-8 -*- """Tests for the event filter expression parser filter classes.""" @@ -15,13 +15,15 @@ class FalseFilter(filters.Operator): """A filter which always evaluates to False for testing.""" - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -33,13 +35,15 @@ def Matches(self, event, event_data, event_data_stream, event_tag): class TrueFilter(filters.Operator): """A filter which always evaluates to True for testing.""" - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -98,13 +102,13 @@ def testMatches(self): filter_object = filters.AndFilter(arguments=[ true_filter_object, true_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertTrue(result) filter_object = filters.AndFilter(arguments=[ false_filter_object, true_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertFalse(result) @@ -128,13 +132,13 @@ def testMatches(self): filter_object = filters.OrFilter(arguments=[ false_filter_object, true_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertTrue(result) filter_object = filters.OrFilter(arguments=[ false_filter_object, false_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertFalse(result) @@ -154,7 +158,7 @@ def testMatches(self): filter_object = filters.IdentityFilter() - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertTrue(result) @@ -194,16 +198,16 @@ def testGetValue(self): filter_object = filters.GenericBinaryOperator(arguments=['test_value', 1]) test_value = filter_object._GetValue( - 'test_value', event, event_data, None, event_tag) + 'test_value', event, event_data, None, None, event_tag) self.assertEqual(test_value, 1) test_value = filter_object._GetValue( - 'timestamp', event, event_data, None, event_tag) + 'timestamp', event, event_data, None, None, event_tag) self.assertIsNotNone(test_value) self.assertEqual(test_value.timestamp, 5134324321) test_value = filter_object._GetValue( - 'tag', event, event_data, None, event_tag) + 'tag', event, event_data, None, None, event_tag) self.assertEqual(test_value, ['browser_search']) # TODO: add tests for FlipBool function diff --git a/tests/multi_process/analysis_process.py b/tests/multi_process/analysis_process.py index b8a7897166..ddcb327bda 100644 --- a/tests/multi_process/analysis_process.py +++ b/tests/multi_process/analysis_process.py @@ -21,30 +21,35 @@ class TestAnalysisPlugin(analysis_interface.AnalysisPlugin): NAME = 'test_plugin' - # pylint: disable=arguments-renamed - # pylint: disable=unused-argument - def CompileReport(self, mediator): + # pylint: disable=redundant-returns-doc,unused-argument + + def CompileReport(self, analysis_mediator): """Compiles a report of the analysis. - After the plugin has received every copy of an event to - analyze this function will be called so that the report - can be assembled. + After the plugin has received every copy of an event to analyze this + function will be called so that the report can be assembled. Args: - mediator (AnalysisMediator): mediates interactions between - analysis plugins and other components, such as storage and dfvfs. + analysis_mediator (AnalysisMediator): mediates interactions between + analysis plugins and other components, such as storage and dfVFS. + + Returns: + AnalysisReport: report. """ - return + return None - def ExamineEvent(self, mediator, event, event_data, event_data_stream): + def ExamineEvent( + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Analyzes an event. Args: - mediator (AnalysisMediator): mediates interactions between analysis - plugins and other components, such as storage and dfvfs. + analysis_mediator (AnalysisMediator): mediates interactions between + analysis plugins and other components, such as storage and dfVFS. event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ return diff --git a/tests/multi_process/output_engine.py b/tests/multi_process/output_engine.py index 0977a5a35f..77ae8b0a49 100644 --- a/tests/multi_process/output_engine.py +++ b/tests/multi_process/output_engine.py @@ -339,7 +339,7 @@ def testExportEvents(self): 'Log File,' '[---] last message repeated 5 times ---,' 'text/syslog_traditional,' - 'OS:/tmp/test/test_data/syslog,' + 'OS:/tmp/test/test_data/syslog/syslog,' 'repeated') self.assertEqual(lines[14], expected_line) diff --git a/tests/parsers/custom_destinations.py b/tests/parsers/custom_destinations.py index 868bcf7152..df6ace5b24 100644 --- a/tests/parsers/custom_destinations.py +++ b/tests/parsers/custom_destinations.py @@ -19,6 +19,10 @@ def testParse(self): ['custom_destinations', '5afe4de1b92fc382.customDestinations-ms'], parser) + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 9) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 45) @@ -38,11 +42,11 @@ def testParse(self): '{DE3895CB-077B-4C38-B6E3-F3DE1E0D84FC} %systemroot%\\\\' 'system32\\\\control.exe /name Microsoft.Display'), 'creation_time': '2009-07-13T23:55:56.2481035+00:00', - 'data_type': 'windows:lnk:link', 'description': '@%systemroot%\\\\system32\\\\oobefldr.dll,-1262', 'drive_serial_number': 0x24ba718b, 'drive_type': 3, - 'env_var_location': '%SystemRoot%\\\\system32\\\\GettingStarted.exe', + 'environment_variables_location': ( + '%SystemRoot%\\\\system32\\\\GettingStarted.exe'), 'file_attribute_flags': 0x00000020, 'file_size': 11776, 'icon_location': '%systemroot%\\\\system32\\\\display.dll', @@ -51,11 +55,18 @@ def testParse(self): 'local_path': 'C:\\\\Windows\\\\System32\\\\GettingStarted.exe', 'modification_time': '2009-07-14T01:39:11.3880000+00:00'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 8) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 43) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test distributed link tracking event data. - expected_event_values = { + expected_event_data = { 'creation_time': '2010-11-10T19:08:32.6562596+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '00:0c:29:03:1e:1e', @@ -63,10 +74,10 @@ def testParse(self): 'uuid': 'e9215b24-ecfd-11df-a81c-000c29031e1e'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 4) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test shell item event data. - expected_event_values = { + expected_event_data = { 'access_time': '2010-11-10T07:41:04+00:00', 'creation_time': '2009-07-14T03:20:12+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -78,7 +89,7 @@ def testParse(self): 'shell_item_path': ' C:\\\\Windows\\\\System32'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 41) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testParseWithEmpty(self): """Tests the Parse function with an empty jump list.""" @@ -87,6 +98,10 @@ def testParseWithEmpty(self): ['custom_destinations', 'c98dce577f884ef8.customDestinations-ms'], parser) + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 0) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 0) @@ -106,6 +121,10 @@ def testParseWithComplex(self): ['custom_destinations', '368d807282ccde9d.customDestinations-ms'], parser) + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 3) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 9) @@ -118,7 +137,7 @@ def testParseWithComplex(self): 'recovery_warning') self.assertEqual(number_of_warnings, 0) - expected_event_values = { + expected_event_data = { 'access_time': '2024-01-16T06:12:42+00:00', 'creation_time': '2023-07-12T18:11:20+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -130,17 +149,16 @@ def testParseWithComplex(self): 'shell_item_path': ' C:\\\\test'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) expected_event_values = { 'access_time': '2024-01-16T06:12:41.2400523+00:00', 'command_line_arguments': 'My Arguments', 'creation_time': '2023-07-12T18:11:18.2749654+00:00', - 'data_type': 'windows:lnk:link', 'description': None, 'drive_serial_number': 0x2ca3d1ae, 'drive_type': 3, - 'env_var_location': None, + 'environment_variables_location': None, 'file_attribute_flags': 0x00000010, 'file_size': 4096, 'icon_location': 'My Icon', @@ -148,10 +166,17 @@ def testParseWithComplex(self): 'local_path': 'C:\\\\test', 'modification_time': '2023-07-14T04:04:00.3349887+00:00'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) - expected_event_values = { + expected_event_data = { 'creation_time': '2023-07-12T18:06:36.6282931+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '52:54:00:ee:b6:05', @@ -159,7 +184,7 @@ def testParseWithComplex(self): 'uuid': 'd78dbcb3-20de-11ee-a2f8-525400eeb605'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 2) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) if __name__ == '__main__': diff --git a/tests/parsers/olecf_plugins/automatic_destinations.py b/tests/parsers/olecf_plugins/automatic_destinations.py index d00b99048b..7b7f4b2970 100644 --- a/tests/parsers/olecf_plugins/automatic_destinations.py +++ b/tests/parsers/olecf_plugins/automatic_destinations.py @@ -24,6 +24,10 @@ def testProcessVersion1(self): # windows:lnk:link 33 # windows:distributed_link_tracking:creation: 44 + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 11) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 55) @@ -37,7 +41,7 @@ def testProcessVersion1(self): self.assertEqual(number_of_warnings, 0) # Check a AutomaticDestinationsDestListEntryEvent. - expected_event_values = { + expected_event_data = { 'birth_droid_file_identifier': '{63eea867-7b85-11e1-8950-005056a50b40}', 'birth_droid_volume_identifier': ( '{cf6619c2-66a8-44a6-8849-1582fcd3a338}'), @@ -52,13 +56,12 @@ def testProcessVersion1(self): 'pin_status': -1} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 4) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Check a WinLnkLinkEvent. expected_event_values = { 'access_time': '2010-11-10T07:51:23.1085000+00:00', 'creation_time': '2010-11-10T07:51:16.7491250+00:00', - 'data_type': 'windows:lnk:link', 'drive_serial_number': 0x24ba718b, 'drive_type': 3, 'file_attribute_flags': 0x00002020, @@ -69,11 +72,18 @@ def testProcessVersion1(self): 'Windows\\\\Libraries\\\\Documents.library-ms'), 'modification_time': '2010-11-10T07:51:23.1085000+00:00'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Check a WindowsDistributedLinkTrackingCreationEvent. - expected_event_values = { + expected_event_data = { 'creation_time': '2012-03-31T23:01:03.5277415+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '00:50:56:a5:0b:40', @@ -81,7 +91,7 @@ def testProcessVersion1(self): 'uuid': '63eea867-7b85-11e1-8950-005056a50b40'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 3) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testProcessVersion3(self): """Tests the Process function on version 3 .automaticDestinations-ms.""" @@ -94,6 +104,10 @@ def testProcessVersion3(self): # olecf:dest_list:entry: 2 # windows:lnk:link 2 + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 2) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 4) @@ -107,7 +121,7 @@ def testProcessVersion3(self): self.assertEqual(number_of_warnings, 0) # Check a AutomaticDestinationsDestListEntryEvent. - expected_event_values = { + expected_event_data = { 'birth_droid_file_identifier': '{00000000-0000-0000-0000-000000000000}', 'birth_droid_volume_identifier': ( '{00000000-0000-0000-0000-000000000000}'), @@ -122,13 +136,12 @@ def testProcessVersion3(self): 'pin_status': -1} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Check a WinLnkLinkEvent. expected_event_values = { 'access_time': None, 'creation_time': None, - 'data_type': 'windows:lnk:link', 'drive_serial_number': None, 'drive_type': None, 'file_attribute_flags': 0, @@ -137,8 +150,15 @@ def testProcessVersion3(self): 'local_path': None, 'modification_time': None} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) if __name__ == '__main__': diff --git a/tests/parsers/test_lib.py b/tests/parsers/test_lib.py index 1e2afe8963..6eb1109adf 100644 --- a/tests/parsers/test_lib.py +++ b/tests/parsers/test_lib.py @@ -177,38 +177,29 @@ def CheckEventData(self, event_data, expected_event_values): 'event value: "{0:s}" does not match expected value').format(name) self.assertEqual(value, expected_value, error_message) - def CheckEventValues(self, storage_writer, event, expected_event_values): - """Asserts that an event and its event data matches the expected values. + def CheckEventValues(self, event_values, expected_event_values): + """Asserts that event values matches the expected values. Args: - storage_writer (StorageWriter): storage writer. - event (EventObject): event to check. + event_values (acstore.AttributeContainer): event values attribute + container to check. expected_event_values (dict[str, list[str]): expected values of the event - and event data attribute values per name. + data attribute values per name. """ - event_data = None for name, expected_value in expected_event_values.items(): - if name == 'timestamp' and isinstance(expected_value, str): - posix_time = dfdatetime_posix_time.PosixTimeInMicroseconds( - timestamp=event.timestamp) - value = posix_time.CopyToDateTimeString() - - elif name in ('date_time', 'timestamp', 'timestamp_desc'): - value = getattr(event, name, None) - - else: - if not event_data: - event_data = self._GetEventDataOfEvent(storage_writer, event) - - value = getattr(event_data, name, None) - - if name == 'date_time' and value and isinstance(expected_value, str): + value = getattr(event_values, name, None) + if isinstance(value, dfdatetime_interface.DateTimeValues): date_time_value = value.CopyToDateTimeStringISO8601() if not date_time_value: # Call CopyToDateTimeString to support semantic date time values. date_time_value = value.CopyToDateTimeString() value = date_time_value + elif isinstance(value, list) and value and isinstance( + value[0], dfdatetime_interface.DateTimeValues): + value = [date_time_value.CopyToDateTimeStringISO8601() + for date_time_value in value] + error_message = ( 'event value: "{0:s}" does not match expected value').format(name) self.assertEqual(value, expected_value, error_message) diff --git a/tests/parsers/winlnk.py b/tests/parsers/winlnk.py index d2d4d15f9d..0b8cae65c8 100644 --- a/tests/parsers/winlnk.py +++ b/tests/parsers/winlnk.py @@ -15,7 +15,7 @@ class WinLnkParserTest(test_lib.ParserTestCase): def testParse(self): """Tests the Parse function.""" parser = winlnk.WinLnkParser() - storage_writer = self._ParseFile(['example.lnk'], parser) + storage_writer = self._ParseFile(['winlnk', 'example.lnk'], parser) # Link information: # Creation time : Jul 13, 2009 23:29:02.849131000 UTC @@ -27,6 +27,10 @@ def testParse(self): # Icon location : %windir%\system32\migwiz\migwiz.exe # Environment variables location : %windir%\system32\migwiz\migwiz.exe + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 1) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 2) @@ -42,10 +46,10 @@ def testParse(self): # Test shortcut event data. expected_event_values = { 'access_time': '2009-07-13T23:29:02.8491310+00:00', - 'data_type': 'windows:lnk:link', 'description': '@%windir%\\\\system32\\\\migwiz\\\\wet.dll,-590', 'creation_time': '2009-07-13T23:29:02.8491310+00:00', - 'env_var_location': '%windir%\\\\system32\\\\migwiz\\\\migwiz.exe', + 'environment_variables_location': ( + '%windir%\\\\system32\\\\migwiz\\\\migwiz.exe'), 'file_attribute_flags': 0x00000020, 'file_size': 544768, 'icon_location': '%windir%\\\\system32\\\\migwiz\\\\migwiz.exe', @@ -53,23 +57,34 @@ def testParse(self): 'relative_path': '.\\\\migwiz\\\\migwiz.exe', 'working_directory': '%windir%\\\\system32\\\\migwiz'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test distributed link tracking event data. - expected_event_values = { + expected_event_data = { 'creation_time': '2009-07-14T05:45:20.5000123+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '00:1d:09:fa:5a:1c', 'uuid': '846ee3bb-7039-11de-9d20-001d09fa5a1c'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testParseLinkTargetIdentifier(self): """Tests the Parse function on an LNK with a link target identifier.""" parser = winlnk.WinLnkParser() - storage_writer = self._ParseFile(['NeroInfoTool.lnk'], parser) + storage_writer = self._ParseFile(['winlnk', 'NeroInfoTool.lnk'], parser) + + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 1) number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') @@ -86,7 +101,6 @@ def testParseLinkTargetIdentifier(self): # Test shortcut event data. expected_event_values = { 'creation_time': '2009-06-05T20:13:20.0000000+00:00', - 'data_type': 'windows:lnk:link', 'description': ( 'Nero InfoTool provides you with information about the most ' 'important features of installed drives, inserted discs, installed ' @@ -110,11 +124,18 @@ def testParseLinkTargetIdentifier(self): 'working_directory': ( 'C:\\\\Program Files (x86)\\\\Nero\\\\Nero 9\\\\Nero InfoTool')} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 5) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test shell item event data. - expected_event_values = { + expected_event_data = { 'access_time': '2010-01-29T21:30:12+00:00', 'creation_time': '2009-06-05T20:13:20+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -128,12 +149,17 @@ def testParseLinkTargetIdentifier(self): 'Nero InfoTool\\\\InfoTool.exe')} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 4) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testParseUnpairedSurrogate(self): """Tests the Parse function on an LNK with an unpaired surrogate.""" parser = winlnk.WinLnkParser() - storage_writer = self._ParseFile(['unpaired_surrogate.lnk'], parser) + storage_writer = self._ParseFile( + ['winlnk', 'unpaired_surrogate.lnk'], parser) + + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 1) number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') @@ -150,7 +176,6 @@ def testParseUnpairedSurrogate(self): # Test shortcut event data. expected_event_values = { 'creation_time': '2023-07-10T04:01:20.7971076+00:00', - 'data_type': 'windows:lnk:link', 'description': None, 'drive_serial_number': 0x2ca3d1ae, 'drive_type': 3, @@ -160,11 +185,18 @@ def testParseUnpairedSurrogate(self): 'relative_path': '.\\\\unicode_U+0000d800_\\U0000d800.exe', 'working_directory': 'C:\\\\test'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 2) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test shell item event data. - expected_event_values = { + expected_event_data = { 'access_time': '2023-07-10T04:01:28+00:00', 'creation_time': '2023-07-10T04:01:22+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -177,7 +209,7 @@ def testParseUnpairedSurrogate(self): ' C:\\\\test\\\\unicode_U+0000d800_\\U0000d800.exe')} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) if __name__ == '__main__': diff --git a/tests/parsers/winreg_plugins/windows_version.py b/tests/parsers/winreg_plugins/windows_version.py index a870e5e8dc..22b51601f4 100644 --- a/tests/parsers/winreg_plugins/windows_version.py +++ b/tests/parsers/winreg_plugins/windows_version.py @@ -24,6 +24,7 @@ def testGetAttributeNames(self): expected_attribute_names = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'build_number', 'data_type',