osquerylogs

package
v1.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 30, 2020 License: AGPL-3.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TypeBatch        = "Osquery.Batch"
	TypeDifferential = "Osquery.Differential"
	TypeSnapshot     = "Osquery.Snapshot"
	TypeStatus       = "Osquery.Status"
)

Variables

This section is empty.

Functions

func LogTypes added in v1.12.0

func LogTypes() logtypes.Group

Types

type Batch

type Batch struct {
	CalendarTime *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."`
	Counter      *numerics.Integer      `json:"counter,omitempty"  validate:"required" description:"Counter"`
	Decorations  map[string]string      `json:"decorations,omitempty" description:"Decorations"`
	DiffResults  *BatchDiffResults      `json:"diffResults,omitempty" validate:"required" description:"Computed differences."`
	Epoch        *numerics.Integer      `json:"epoch,omitempty"  validate:"required" description:"Epoch"`
	Hostname     *string                `json:"hostname,omitempty"  validate:"required" description:"Hostname"`
	Name         *string                `json:"name,omitempty"  validate:"required" description:"Name"`
	UnixTime     *numerics.Integer      `json:"unixTime,omitempty"  validate:"required" description:"Unix epoch"`

	// NOTE: added to end of struct to allow expansion later
	parsers.PantherLog
}

nolint:lll

type BatchDiffResults

type BatchDiffResults struct {
	Added   []map[string]string `json:"added,omitempty"`
	Removed []map[string]string `json:"removed,omitempty"`
}

OsqueryBatchDiffResults contains diff data for OsQuery batch results

type BatchParser

type BatchParser struct{}

BatchParser parses OsQuery Batch logs

func (*BatchParser) LogType

func (p *BatchParser) LogType() string

LogType returns the log type supported by this parser

func (*BatchParser) New added in v0.3.0

func (p *BatchParser) New() parsers.LogParser

func (*BatchParser) Parse

func (p *BatchParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type Differential

type Differential struct {
	Action               *string                `json:"action,omitempty" validate:"required" description:"Action"`
	CalendarTime         *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."`
	Columns              map[string]string      `json:"columns,omitempty" validate:"required" description:"Columns"`
	Counter              *numerics.Integer      `json:"counter,omitempty" description:"Counter"`
	Decorations          map[string]string      `json:"decorations,omitempty" description:"Decorations"`
	Epoch                *numerics.Integer      `json:"epoch,omitempty" validate:"required" description:"Epoch"`
	HostIdentifier       *string                `json:"hostIdentifier,omitempty" validate:"required" description:"HostIdentifier"`
	LogType              *string                `json:"logType,omitempty"  description:"LogType"`
	LogUnderscoreType    *string                `json:"log_type,omitempty" description:"LogUnderscoreType"`
	Name                 *string                `json:"name,omitempty" validate:"required" description:"Name"`
	UnixTime             *numerics.Integer      `json:"unixTime,omitempty" validate:"required" description:"UnixTime"`
	LogNumericsAsNumbers *bool                  `json:"logNumericsAsNumbers,omitempty,string" description:"LogNumericsAsNumbers"`

	// NOTE: added to end of struct to allow expansion later
	parsers.PantherLog
}

nolint:lll

type DifferentialParser

type DifferentialParser struct{}

DifferentialParser parses OsQuery Differential logs

func (*DifferentialParser) LogType

func (p *DifferentialParser) LogType() string

LogType returns the log type supported by this parser

func (*DifferentialParser) New added in v0.3.0

func (*DifferentialParser) Parse

func (p *DifferentialParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type Snapshot

type Snapshot struct {
	Action         *string                `json:"action,omitempty" validate:"required,eq=snapshot" description:"Action"`
	CalendarTime   *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."`
	Counter        *numerics.Integer      `json:"counter,omitempty" validate:"required" description:"Counter"`
	Decorations    map[string]string      `json:"decorations,omitempty" description:"Decorations"`
	Epoch          *numerics.Integer      `json:"epoch,omitempty" validate:"required" description:"Epoch"`
	HostIdentifier *string                `json:"hostIdentifier,omitempty" validate:"required" description:"HostIdentifier"`
	Name           *string                `json:"name,omitempty" validate:"required" description:"Name"`
	Snapshot       []map[string]string    `json:"snapshot,omitempty" validate:"required" description:"Snapshot"`
	UnixTime       *numerics.Integer      `json:"unixTime,omitempty" validate:"required" description:"UnixTime"`

	// NOTE: added to end of struct to allow expansion later
	parsers.PantherLog
}

nolint:lll

type SnapshotParser

type SnapshotParser struct{}

SnapshotParser parses OsQuery snapshot logs

func (*SnapshotParser) LogType

func (p *SnapshotParser) LogType() string

LogType returns the log type supported by this parser

func (*SnapshotParser) New added in v0.3.0

func (p *SnapshotParser) New() parsers.LogParser

func (*SnapshotParser) Parse

func (p *SnapshotParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type Status

type Status struct {
	CalendarTime      *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."`
	Decorations       map[string]string      `json:"decorations,omitempty" description:"Decorations"`
	Filename          *string                `json:"filename,omitempty" validate:"required" description:"Filename"`
	HostIdentifier    *string                `json:"hostIdentifier,omitempty" validate:"required" description:"HostIdentifier"`
	Line              *numerics.Integer      `json:"line,omitempty" validate:"required" description:"Line"`
	LogType           *string                `json:"logType,omitempty"  description:"LogType"`
	LogUnderscoreType *string                `json:"log_type,omitempty" description:"LogUnderScoreType"`
	Message           *string                `json:"message,omitempty" description:"Message"`
	Severity          *numerics.Integer      `json:"severity,omitempty" validate:"required" description:"Severity"`
	UnixTime          *numerics.Integer      `json:"unixTime,omitempty" validate:"required" description:"UnixTime"`
	Version           *string                `json:"version,omitempty" validate:"required" description:"Version"`

	// NOTE: added to end of struct to allow expansion later
	parsers.PantherLog
}

nolint:lll

type StatusParser

type StatusParser struct{}

StatusParser parses OsQuery Status logs

func (*StatusParser) LogType

func (p *StatusParser) LogType() string

LogType returns the log type supported by this parser

func (*StatusParser) New added in v0.3.0

func (p *StatusParser) New() parsers.LogParser

func (*StatusParser) Parse

func (p *StatusParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL