Documentation ¶
Index ¶
- Constants
- func BuildEventSchema(event interface{}, indicators ...FieldID) (interface{}, error)
- func BuildEventTypeSchema(eventType reflect.Type, indicators ...FieldID) (reflect.Type, error)
- func FieldNameJSON(kind FieldID) string
- func LookupScanner(name string) (scanner ValueScanner, fields []FieldID)
- func MustBuildEventSchema(event interface{}, indicators ...FieldID) interface{}
- func MustRegisterIndicator(id FieldID, field FieldMeta)
- func MustRegisterScanner(name string, scanner ValueScanner, fields ...FieldID)
- func MustRegisterScannerFunc(name string, scanner ValueScannerFunc, fields ...FieldID)
- func NewExtension() jsoniter.Extension
- func RegisterIndicator(id FieldID, field FieldMeta) error
- func RegisterScanner(name string, scanner ValueScanner, fields ...FieldID) error
- func RegisteredFieldNamesJSON() (names []string)
- func ScanHostname(w ValueWriter, input string)
- func ScanIPAddress(w ValueWriter, input string)
- func ScanNetworkAddress(w ValueWriter, input string)
- func ScanURL(dest ValueWriter, input string)
- func StaticNow(now time.Time) func() time.Time
- func StaticRowID(id string) func() string
- type Bool
- type CoreFields
- type EventTimer
- type FieldID
- type FieldMeta
- type FieldSet
- type Float32
- type Float64
- type Int16
- type Int32
- type Int64
- type Int8
- type RawMessage
- type Result
- type ResultBuilder
- type String
- type Time
- type Uint16
- type Uint32
- type Uint64
- type Uint8
- type ValueBuffer
- func (b *ValueBuffer) Contains(id FieldID, value string) bool
- func (b *ValueBuffer) Fields() []FieldID
- func (b *ValueBuffer) Get(id FieldID) []string
- func (b *ValueBuffer) Inspect() map[FieldID][]string
- func (b *ValueBuffer) IsEmpty() bool
- func (b *ValueBuffer) Recycle()
- func (b *ValueBuffer) Reset()
- func (b *ValueBuffer) WriteValues(id FieldID, values ...string)
- func (b *ValueBuffer) WriteValuesTo(w ValueWriter)
- type ValueScanner
- type ValueScannerFunc
- type ValueWriter
- type ValueWriterTo
Constants ¶
const ( // TagNameIndicator is used for defining a field as an indicator field TagNameIndicator = "panther" // TagEventTime is used for defining a field as an event time // // Mark a struct field of type time.Time with a `event_time:"true"` tag to set the result timestamp. // If multiple timestamps are present in a struct the first one in the order of definition in the struct // will set the event timestamp. // This does not affect events that implement EventTimer and have already set their timestamp. TagNameEventTime = "event_time" )
const ( // FieldPrefixJSON is the prefix for field names injected by panther to log events. FieldPrefixJSON = "p_" FieldPrefix = "Panther" FieldLogTypeJSON = FieldPrefixJSON + "log_type" FieldRowIDJSON = FieldPrefixJSON + "row_id" FieldEventTimeJSON = FieldPrefixJSON + "event_time" FieldParseTimeJSON = FieldPrefixJSON + "parse_time" )
Variables ¶
This section is empty.
Functions ¶
func BuildEventSchema ¶
BuildEventSchema builds a struct that extends the fields of `event` with all the fields added by Panther. It automatically detects indicator field ids required for `event` if no `indicators` are passed. It checks for duplicate field names in both JSON and go.
func BuildEventTypeSchema ¶
BuildEventTypeSchema builds a struct that extends the fields of `eventType` with all the fields added by Panther. It automatically detects indicator field ids required for `eventType` if no `indicators` are passed. It checks for duplicate field names in both JSON and go.
func FieldNameJSON ¶
FieldNameJSON returns the JSON field name of a field id.
func LookupScanner ¶
func LookupScanner(name string) (scanner ValueScanner, fields []FieldID)
LookupScanner finds a registered scanner and field ids by name.
func MustBuildEventSchema ¶
func MustBuildEventSchema(event interface{}, indicators ...FieldID) interface{}
MustBuildEventSchema builds a struct that extends the fields of `event` with all the fields added by Panther. It automatically detects indicator field ids required for `event` if no `indicators` are passed. It panics if an error occurred while building the new struct
func MustRegisterIndicator ¶
MustRegisterIndicator allows modules to define their own indicator fields. It panics if a registration error occurs. WARNING: This function is not concurrent safe and it *must* be used during `init()`
func MustRegisterScanner ¶
func MustRegisterScanner(name string, scanner ValueScanner, fields ...FieldID)
MustRegisterScanner registers a value scanner to be used on string fields with a `panther` struct tag. It panics in case of a registration error.
func MustRegisterScannerFunc ¶ added in v1.8.0
func MustRegisterScannerFunc(name string, scanner ValueScannerFunc, fields ...FieldID)
MustRegisterScannerFunc registers a value scanner to be used on string fields with a `panther` struct tag. It panics in case of a registration error.
func NewExtension ¶
func RegisterIndicator ¶
RegisterIndicator allows modules to define their own indicator fields. WARNING: This function is not concurrent safe and it *must* be used during `init()` These fields are always added as `[]string` and values can be collected can by scanners using `RegisterScanner`.
func RegisterScanner ¶
func RegisterScanner(name string, scanner ValueScanner, fields ...FieldID) error
RegisterScanner tries to register a value scanner to be used on string fields with a `panther` struct tag. Scanner names should be unique and field ids should already be registered with `RegisterField`. Argument `name` defines the name to use for this scanner (ie "foo" will be used for tags with `panther:"foo"). Argument `scanner` is the actual scanner being registered. Argument `fields` defines all the possible field ids this scanner can produce values for.
func RegisteredFieldNamesJSON ¶
func RegisteredFieldNamesJSON() (names []string)
RegisteredFieldNamesJSON returns the JSON field names for registered indicator fields
func ScanHostname ¶
func ScanHostname(w ValueWriter, input string)
ScanHostname scans `input` for either an ip address or a domain name value.
func ScanIPAddress ¶
func ScanIPAddress(w ValueWriter, input string)
ScanIPAddress scans `input` for an ip address value.
func ScanNetworkAddress ¶
func ScanNetworkAddress(w ValueWriter, input string)
Tries to split host:port address or falls back to Hostname scanning if `:` is not present in input
func ScanURL ¶
func ScanURL(dest ValueWriter, input string)
ScanURL scans a URL string for domain or ip address
func StaticNow ¶
StaticNow returns a function to be used as ResultBuilder.Now to always set the ParseTime to a specific time
func StaticRowID ¶
StaticRowID returns a function to be used as ResultBuilder.NextRowID to always set the RowID to a specific value
Types ¶
type CoreFields ¶
type CoreFields struct { PantherEventTime time.Time `json:"p_event_time" validate:"required" description:"Panther added standardized event time (UTC)"` PantherParseTime time.Time `json:"p_parse_time" validate:"required" description:"Panther added standardized log parse time (UTC)"` PantherLogType string `json:"p_log_type" validate:"required" description:"Panther added field with type of log"` PantherRowID string `json:"p_row_id" validate:"required" description:"Panther added field with unique id (within table)"` PantherSourceID string `json:"p_source_id,omitempty" description:"Panther added field with the source id"` PantherSourceLabel string `json:"p_source_label,omitempty" description:"Panther added field with the source label"` }
CoreFields are the 'core' fields Panther adds to each log. External modules cannot add core fields.
type EventTimer ¶
EventTimer returns the event timestamp. ResultBuilder checks for events that implement this interface and uses the appropriate timestamp as the event time. Events that require custom logic to decide their timestamp should implement this interface.
type FieldID ¶
type FieldID int
FieldID is the id of a field added by Panther. This includes both core fields that are common to all events and indicator fields that are added on a per-logtype basis.
const ( FieldNone FieldID = 0 - iota CoreFieldEventTime CoreFieldParseTime CoreFieldLogType CoreFieldRowID CoreFieldSourceID CoreFieldSourceLabel )
Core field ids (<=0) All core fields ids are negative integers to distinguish them.
const ( FieldIPAddress FieldID = 1 + iota FieldDomainName FieldMD5Hash FieldSHA1Hash FieldSHA256Hash FieldTraceID FieldAWSAccountID FieldAWSInstanceID FieldAWSARN FieldAWSTag )
Indicator fields (>0) These fields collect string values from the log event. Each log type can choose the indicator fields it requires. Modules can register new indicator fields at init() using RegisterIndicator
func (FieldID) ScanValues ¶
func (id FieldID) ScanValues(w ValueWriter, input string)
ScanValues implements ValueScanner interface
type FieldMeta ¶
FieldMeta describes a panther field.
func (*FieldMeta) StructField ¶
func (m *FieldMeta) StructField() reflect.StructField
type FieldSet ¶
type FieldSet []FieldID
FieldSet is a set of field ids. It provides helper methods to sort, filter and extend a set of uniquee fields ids.
func DefaultIndicators ¶
func DefaultIndicators() FieldSet
DefaultIndicators returns the default panther indicator fields. It creates a new copy so that outside packages cannot affect the defaults.
func FieldSetFromJSON ¶
FieldSetFromJSON checks top-level field names in a JSON object and produces the field set of all panther fields.
func FieldSetFromTag ¶
FieldSetFromTag produces the minimum required field set to support scanners defined in a struct tag.
func FieldSetFromType ¶
FieldSetFromType produces the minimum required field set to support scanners and core fields defined in a struct.
func NewFieldSet ¶
NewFieldSet creates a new set of distinct field ids
func (FieldSet) Indicators ¶
Indicators returns a copy of the set containing only indicator field ids
type RawMessage ¶ added in v1.8.0
type RawMessage = jsoniter.RawMessage
type Result ¶
type Result struct { // Result extends all core panther fields CoreFields // The underlying event Event interface{} // Used for log events that embed parsers.PantherLog. This is a low-overhead, temporary work-around // to avoid duplicate panther fields in resulting JSON. // FIXME: Remove this field once all parsers are ported to the new method. EventIncludesPantherFields bool // contains filtered or unexported fields }
Result is the result of parsing a log event.
func (*Result) MarshalJSON ¶
func (*Result) UnmarshalJSON ¶
func (*Result) WriteValues ¶
WriteValues implements ValueWriter interface
type ResultBuilder ¶
type ResultBuilder struct { // Override this to have static row ids for tests NextRowID func() string // Override this to have static parse time for tests Now func() time.Time }
ResultBuilder builds new results filling out result fields.
func (*ResultBuilder) BuildResult ¶
func (b *ResultBuilder) BuildResult(logType string, event interface{}) (*Result, error)
BuildResult builds a new result for an event. Log type is passed as an argument so that a single result builder can be reused for producing results of different log types.
type String ¶ added in v1.8.0
Re-export field types from the pantherlog package so event types only need to import a single package. This makes explaining the process of adding support for a new log type much easier. It also allows us to change implementations of a field type in the future without modifying parser code
type ValueBuffer ¶
type ValueBuffer struct {
// contains filtered or unexported fields
}
ValueBuffer is a reusable buffer of field values. It provides helper methods to collect fields from log entries. A ValueBuffer can be reset and used in a pool.
func BlankValueBuffer ¶
func BlankValueBuffer() *ValueBuffer
func (*ValueBuffer) Contains ¶
func (b *ValueBuffer) Contains(id FieldID, value string) bool
Contains checks if a field buffer contains a specific field.
func (*ValueBuffer) Fields ¶
func (b *ValueBuffer) Fields() []FieldID
Fields returns the field ids that contain values in this buffer.
func (*ValueBuffer) Get ¶
func (b *ValueBuffer) Get(id FieldID) []string
Get returns the values stored for a field id (sorted)
func (*ValueBuffer) Inspect ¶
func (b *ValueBuffer) Inspect() map[FieldID][]string
Inspect returns a sorted copy snapshot of the value index This is mainly useful for tests.
func (*ValueBuffer) IsEmpty ¶
func (b *ValueBuffer) IsEmpty() bool
func (*ValueBuffer) Recycle ¶
func (b *ValueBuffer) Recycle()
func (*ValueBuffer) Reset ¶
func (b *ValueBuffer) Reset()
Reset clears all fields from a buffer retaining allocated memory.
func (*ValueBuffer) WriteValues ¶
func (b *ValueBuffer) WriteValues(id FieldID, values ...string)
WriteValues adds values to the buffer.
func (*ValueBuffer) WriteValuesTo ¶
func (b *ValueBuffer) WriteValuesTo(w ValueWriter)
type ValueScanner ¶
type ValueScanner interface { // ScanValues scans `input` and writes values to `w` ScanValues(w ValueWriter, input string) }
ValueScanner parses values from a string and writes them to a ValueWriter. Implementations should parse `input` and write valid values to `w`. If errors occur while parsing `input` no values should be written to `w`.
func MultiScanner ¶ added in v1.11.0
func MultiScanner(scanners ...ValueScanner) ValueScanner
MultiScanner scans a value with multiple scanners
type ValueScannerFunc ¶
type ValueScannerFunc func(dest ValueWriter, value string)
ValueScannerFunc is a function implementing ValueScanner interface
func (ValueScannerFunc) ScanValues ¶
func (f ValueScannerFunc) ScanValues(dest ValueWriter, value string)
ScanValues implements ValueScanner interface
type ValueWriter ¶
ValueWriter provides the interface to write field values
type ValueWriterTo ¶
type ValueWriterTo interface {
WriteValuesTo(w ValueWriter)
}
ValueWriterTo can write field values to a ValueWriter
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
nolint: dupl nolint: dupl nolint: dupl nolint: dupl nolint: dupl nolint: dupl nolint: dupl Package null provides performant nullable values for JSON serialization/deserialization nolint: dupl nolint: dupl nolint: dupl nolint: dupl
|
nolint: dupl nolint: dupl nolint: dupl nolint: dupl nolint: dupl nolint: dupl nolint: dupl Package null provides performant nullable values for JSON serialization/deserialization nolint: dupl nolint: dupl nolint: dupl nolint: dupl |