awslogs

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 6, 2020 License: AGPL-3.0, Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ALBDesc = `` /* 197-byte string literal not displayed */
View Source
var AuroraMySQLAuditDesc = `` /* 187-byte string literal not displayed */
View Source
var CloudTrailDesc = `` /* 193-byte string literal not displayed */
View Source
var GuardDutyDesc = `` /* 259-byte string literal not displayed */
View Source
var S3ServerAccessDesc = `` /* 141-byte string literal not displayed */
View Source
var VPCFlowDesc = `` /* 210-byte string literal not displayed */

Functions

This section is empty.

Types

type ALB

type ALB struct {
	Type                   *string            `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."`
	Timestamp              *timestamp.RFC3339 `` /* 198-byte string literal not displayed */
	ELB                    *string            `` /* 168-byte string literal not displayed */
	ClientIP               *string            `json:"clientIp,omitempty" description:"The IP address of the requesting client."`
	ClientPort             *int               `json:"clientPort,omitempty" description:"The port of the requesting client."`
	TargetIP               *string            `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."`
	TargetPort             *int               `json:"targetPort,omitempty" description:"The port of the target that processed this request."`
	RequestProcessingTime  *float64           `` /* 513-byte string literal not displayed */
	TargetProcessingTime   *float64           `` /* 536-byte string literal not displayed */
	ResponseProcessingTime *float64           `` /* 579-byte string literal not displayed */
	ELBStatusCode          *int               `` /* 127-byte string literal not displayed */
	TargetStatusCode       *int               `` /* 202-byte string literal not displayed */
	ReceivedBytes          *int               `` /* 257-byte string literal not displayed */
	SentBytes              *int               `` /* 232-byte string literal not displayed */
	RequestHTTPMethod      *string            `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."`
	RequestURL             *string            `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."`
	RequestHTTPVersion     *string            `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."`
	UserAgent              *string            `` /* 243-byte string literal not displayed */
	SSLCipher              *string            `` /* 141-byte string literal not displayed */
	SSLProtocol            *string            `` /* 145-byte string literal not displayed */
	TargetGroupARN         *string            `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."`
	TraceID                *string            `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."`
	DomainName             *string            `` /* 280-byte string literal not displayed */
	ChosenCertARN          *string            `` /* 243-byte string literal not displayed */
	MatchedRulePriority    *int               `` /* 338-byte string literal not displayed */
	RequestCreationTime    *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."`
	ActionsExecuted        []string           `` /* 270-byte string literal not displayed */
	RedirectURL            *string            `` /* 181-byte string literal not displayed */
	ErrorReason            *string            `` /* 278-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type ALBParser

type ALBParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

ALBParser parses AWS Application Load Balancer logs

func (*ALBParser) LogType

func (p *ALBParser) LogType() string

LogType returns the log type supported by this parser

func (*ALBParser) New added in v0.3.0

func (p *ALBParser) New() parsers.LogParser

func (*ALBParser) Parse

func (p *ALBParser) Parse(log string) []*parsers.PantherLog

Parse returns the parsed events or nil if parsing failed

type AWSExtractor added in v0.2.0

type AWSExtractor struct {
	// contains filtered or unexported fields
}

extracts useful AWS features that can be detected generically (w/context)

func NewAWSExtractor added in v0.2.0

func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor

func (*AWSExtractor) Extract added in v0.2.0

func (e *AWSExtractor) Extract(key, value gjson.Result)

type AWSPantherLog added in v0.2.0

type AWSPantherLog struct {
	parsers.PantherLog

	PantherAnyAWSAccountIds  *parsers.PantherAnyString `` /* 131-byte string literal not displayed */
	PantherAnyAWSInstanceIds *parsers.PantherAnyString `` /* 133-byte string literal not displayed */
	PantherAnyAWSARNs        *parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"`
	PantherAnyAWSTags        *parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"`
}

nolint(lll)

func (*AWSPantherLog) AppendAnyAWSARNPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSARNs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)

func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSAccountIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSInstanceIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSTagPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSTags added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)

NOTE: value should be of the form <key>:<value>

type AuroraMySQLAudit

type AuroraMySQLAudit struct {
	Timestamp    *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."`
	ServerHost   *string            `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."`
	Username     *string            `json:"username,omitempty" description:"The connected user name of the user."`
	Host         *string            `json:"host,omitempty" description:"The host that the user connected from."`
	ConnectionID *int               `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."`
	QueryID      *int               `` /* 182-byte string literal not displayed */
	Operation    *string            `` /* 216-byte string literal not displayed */
	Database     *string            `json:"database,omitempty" description:"The active database, as set by the USE command."`
	Object       *string            `` /* 143-byte string literal not displayed */
	RetCode      *int               `json:"retCode,omitempty" description:"The return code of the logged operation."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type AuroraMySQLAuditParser

type AuroraMySQLAuditParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs

func (*AuroraMySQLAuditParser) LogType

func (p *AuroraMySQLAuditParser) LogType() string

LogType returns the log type supported by this parser

func (*AuroraMySQLAuditParser) New added in v0.3.0

func (*AuroraMySQLAuditParser) Parse

Parse returns the parsed events or nil if parsing failed

type CloudTrail

type CloudTrail struct {
	AdditionalEventData *jsoniter.RawMessage    `` /* 128-byte string literal not displayed */
	APIVersion          *string                 `json:"apiVersion,omitempty" description:"Identifies the API version associated with the AwsApiCall eventType value."`
	AWSRegion           *string                 `json:"awsRegion,omitempty" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
	ErrorCode           *string                 `json:"errorCode,omitempty" description:"The AWS service error if the request returns an error."`
	ErrorMessage        *string                 `` /* 246-byte string literal not displayed */
	EventID             *string                 `` /* 269-byte string literal not displayed */
	EventName           *string                 `` /* 139-byte string literal not displayed */
	EventSource         *string                 `` /* 196-byte string literal not displayed */
	EventTime           *timestamp.RFC3339      `` /* 137-byte string literal not displayed */
	EventType           *string                 `` /* 213-byte string literal not displayed */
	EventVersion        *string                 `json:"eventVersion,omitempty" validate:"required" description:"The version of the log event format."`
	ManagementEvent     *bool                   `` /* 307-byte string literal not displayed */
	ReadOnly            *bool                   `json:"readOnly,omitempty" description:"Identifies whether this operation is a read-only operation."`
	RecipientAccountID  *string                 `` /* 278-byte string literal not displayed */
	RequestID           *string                 `` /* 126-byte string literal not displayed */
	RequestParameters   *jsoniter.RawMessage    `` /* 205-byte string literal not displayed */
	Resources           []CloudTrailResources   `json:"resources,omitempty" description:"A list of resources accessed in the event."`
	ResponseElements    *jsoniter.RawMessage    `` /* 341-byte string literal not displayed */
	ServiceEventDetails *jsoniter.RawMessage    `` /* 131-byte string literal not displayed */
	SharedEventID       *string                 `` /* 177-byte string literal not displayed */
	SourceIPAddress     *string                 `` /* 309-byte string literal not displayed */
	UserAgent           *string                 `` /* 167-byte string literal not displayed */
	UserIdentity        *CloudTrailUserIdentity `json:"userIdentity,omitempty" validate:"required" description:"Information about the user that made a request."`
	VPCEndpointID       *string                 `` /* 154-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll

type CloudTrailParser

type CloudTrailParser struct{}

CloudTrailParser parses CloudTrail logs

func (*CloudTrailParser) LogType

func (p *CloudTrailParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudTrailParser) New added in v0.3.0

func (*CloudTrailParser) Parse

func (p *CloudTrailParser) Parse(log string) []*parsers.PantherLog

Parse returns the parsed events or nil if parsing failed

type CloudTrailRecords

type CloudTrailRecords struct {
	Records []*CloudTrail `json:"Records" validate:"required,dive"`
}

type CloudTrailResources

type CloudTrailResources struct {
	ARN       *string `json:"arn"`
	AccountID *string `json:"accountId"`
	Type      *string `json:"type"`
}

CloudTrailResources are the AWS resources used in the API call.

type CloudTrailSessionContext

type CloudTrailSessionContext struct {
	Attributes          *CloudTrailSessionContextAttributes          `json:"attributes,omitempty"`
	SessionIssuer       *CloudTrailSessionContextSessionIssuer       `json:"sessionIssuer,omitempty"`
	WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData,omitempty"`
}

CloudTrailSessionContext provides information about a session created for temporary credentials.

type CloudTrailSessionContextAttributes

type CloudTrailSessionContextAttributes struct {
	MfaAuthenticated *string `json:"mfaAuthenticated,omitempty"`
	CreationDate     *string `json:"creationDate,omitempty"`
}

CloudTrailSessionContextAttributes contains the attributes of the Session context object

type CloudTrailSessionContextSessionIssuer

type CloudTrailSessionContextSessionIssuer struct {
	Type        *string `json:"type,omitempty"`
	PrincipalID *string `json:"principalId,omitempty"`
	Arn         *string `json:"arn,omitempty"`
	AccountID   *string `json:"accountId,omitempty"`
	Username    *string `json:"userName,omitempty"`
}

CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer

type CloudTrailSessionContextWebIDFederationData

type CloudTrailSessionContextWebIDFederationData struct {
	FederatedProvider *string              `json:"federatedProvider,omitempty"`
	Attributes        *jsoniter.RawMessage `json:"attributes,omitempty"`
}

CloudTrailSessionContextWebIDFederationData contains Web ID federation data

type CloudTrailUserIdentity

type CloudTrailUserIdentity struct {
	Type             *string                   `json:"type,omitempty"`
	PrincipalID      *string                   `json:"principalId,omitempty"`
	ARN              *string                   `json:"arn,omitempty"`
	AccountID        *string                   `json:"accountId,omitempty"`
	AccessKeyID      *string                   `json:"accessKeyId,omitempty"`
	Username         *string                   `json:"userName,omitempty"`
	SessionContext   *CloudTrailSessionContext `json:"sessionContext,omitempty"`
	InvokedBy        *string                   `json:"invokedBy,omitempty"`
	IdentityProvider *string                   `json:"identityProvider,omitempty"`
}

CloudTrailUserIdentity contains details about the type of IAM identity that made the request.

type GuardDuty

type GuardDuty struct {
	SchemaVersion *string              `json:"schemaVersion" validate:"required" description:"The schema format version of this record."`
	AccountID     *string              `` /* 165-byte string literal not displayed */
	Region        *string              `json:"region" validate:"required" description:"The AWS region in which the finding was generated."`
	Partition     *string              `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."`
	ID            *string              `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."`
	Arn           *string              `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."`
	Type          *string              `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."`
	Resource      *jsoniter.RawMessage `` /* 154-byte string literal not displayed */
	Severity      *float32             `` /* 128-byte string literal not displayed */
	CreatedAt     *timestamp.RFC3339   `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."`
	UpdatedAt     *timestamp.RFC3339   `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."`
	Title         *string              `json:"title" validate:"required" description:"A short description of the finding."`
	Description   *string              `json:"description" validate:"required" description:"A long description of the finding."`
	Service       *GuardDutyService    `json:"service" validate:"required" description:"Additional information about the affected service."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type GuardDutyParser

type GuardDutyParser struct{}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*GuardDutyParser) LogType

func (p *GuardDutyParser) LogType() string

LogType returns the log type supported by this parser

func (*GuardDutyParser) New added in v0.3.0

func (*GuardDutyParser) Parse

func (p *GuardDutyParser) Parse(log string) []*parsers.PantherLog

Parse returns the parsed events or nil if parsing failed

type GuardDutyService

type GuardDutyService struct {
	AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo"`
	Action         *jsoniter.RawMessage `json:"action"`
	ServiceName    *string              `json:"serviceName" validate:"required"`
	DetectorID     *string              `json:"detectorId" validate:"required"`
	ResourceRole   *string              `json:"resourceRole"`
	EventFirstSeen *timestamp.RFC3339   `json:"eventFirstSeen"`
	EventLastSeen  *timestamp.RFC3339   `json:"eventLastSeen"`
	Archived       *bool                `json:"archived"`
	Count          *int                 `json:"count"`
}

type S3ServerAccess

type S3ServerAccess struct {
	BucketOwner        *string            `` /* 196-byte string literal not displayed */
	Bucket             *string            `` /* 230-byte string literal not displayed */
	Time               *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."`
	RemoteIP           *string            `` /* 190-byte string literal not displayed */
	Requester          *string            `` /* 329-byte string literal not displayed */
	RequestID          *string            `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."`
	Operation          *string            `` /* 188-byte string literal not displayed */
	Key                *string            `` /* 132-byte string literal not displayed */
	RequestURI         *string            `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."`
	HTTPStatus         *int               `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."`
	ErrorCode          *string            `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."`
	BytesSent          *int               `` /* 126-byte string literal not displayed */
	ObjectSize         *int               `json:"objectsize,omitempty" description:"The total size of the object in question."`
	TotalTime          *int               `` /* 330-byte string literal not displayed */
	TurnAroundTime     *int               `` /* 254-byte string literal not displayed */
	Referrer           *string            `` /* 223-byte string literal not displayed */
	UserAgent          *string            `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."`
	VersionID          *string            `` /* 133-byte string literal not displayed */
	HostID             *string            `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."`
	SignatureVersion   *string            `` /* 166-byte string literal not displayed */
	CipherSuite        *string            `` /* 136-byte string literal not displayed */
	AuthenticationType *string            `` /* 213-byte string literal not displayed */
	HostHeader         *string            `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."`
	TLSVersion         *string            `` /* 194-byte string literal not displayed */
	AdditionalFields   []string           `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type S3ServerAccessParser

type S3ServerAccessParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

S3ServerAccessParser parses AWS S3 Server Access logs

func (*S3ServerAccessParser) LogType

func (p *S3ServerAccessParser) LogType() string

LogType returns the log type supported by this parser

func (*S3ServerAccessParser) New added in v0.3.0

func (*S3ServerAccessParser) Parse

func (p *S3ServerAccessParser) Parse(log string) []*parsers.PantherLog

Parse returns the parsed events or nil if parsing failed

type VPCFlow

type VPCFlow struct {
	Version     *int               `` /* 165-byte string literal not displayed */
	AccountID   *string            `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."`
	InterfaceID *string            `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."`
	SrcAddr     *string            `` /* 258-byte string literal not displayed */
	DstAddr     *string            `` /* 262-byte string literal not displayed */
	SrcPort     *int               `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."`
	DstPort     *int               `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."`
	Protocol    *int               `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."`
	Packets     *int               `json:"packets,omitempty" description:"The number of packets transferred during the flow."`
	Bytes       *int               `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."`
	Start       *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."`
	End         *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."`
	Action      *string            `` /* 296-byte string literal not displayed */
	LogStatus   *string            `` /* 413-byte string literal not displayed */

	// extended custom fields
	VpcID         *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."`
	SubNetID      *string `` /* 131-byte string literal not displayed */
	InstanceID    *string `` /* 291-byte string literal not displayed */
	TCPFlags      *int    `` /* 379-byte string literal not displayed */
	Type          *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."`
	PacketSrcAddr *string `` /* 518-byte string literal not displayed */
	PacketDstAddr *string `` /* 526-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type VPCFlowParser

type VPCFlowParser struct {
	CSVReader *csvstream.StreamingCSVReader
	// contains filtered or unexported fields
}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*VPCFlowParser) LogType

func (p *VPCFlowParser) LogType() string

LogType returns the log type supported by this parser

func (*VPCFlowParser) New added in v0.3.0

func (p *VPCFlowParser) New() parsers.LogParser

func (*VPCFlowParser) Parse

func (p *VPCFlowParser) Parse(log string) []*parsers.PantherLog

Parse returns the parsed events or nil if parsing failed

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL