awslogs

package
v1.15.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 22, 2021 License: AGPL-3.0 Imports: 16 Imported by: 0

Documentation

Overview

Package awslogs defines parsers and log types for AWS logs.

Index

Constants

View Source
const (
	TypeALB               = "AWS.ALB"
	TypeAuroraMySQLAudit  = `AWS.AuroraMySQLAudit`
	TypeCloudTrail        = `AWS.CloudTrail`
	TypeCloudTrailDigest  = "AWS.CloudTrailDigest"
	TypeCloudTrailInsight = "AWS.CloudTrailInsight"
	TypeCloudWatchEvents  = "AWS.CloudWatchEvents"
	TypeGuardDuty         = "AWS.GuardDuty"
	TypeS3ServerAccess    = "AWS.S3ServerAccess"
	TypeVPCDns            = "AWS.VPCDns"
	TypeVPCFlow           = "AWS.VPCFlow"
)

Variables

This section is empty.

Functions

func LogTypes added in v1.12.0

func LogTypes() logtypes.Group

LogTypes exports the available log type entries

Types

type ALB

type ALB struct {
	Type                   *string            `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."`
	Timestamp              *timestamp.RFC3339 `` /* 198-byte string literal not displayed */
	ELB                    *string            `` /* 168-byte string literal not displayed */
	ClientIP               *string            `json:"clientIp,omitempty" description:"The IP address of the requesting client."`
	ClientPort             *int               `json:"clientPort,omitempty" description:"The port of the requesting client."`
	TargetIP               *string            `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."`
	TargetPort             *int               `json:"targetPort,omitempty" description:"The port of the target that processed this request."`
	RequestProcessingTime  *float64           `` /* 513-byte string literal not displayed */
	TargetProcessingTime   *float64           `` /* 536-byte string literal not displayed */
	ResponseProcessingTime *float64           `` /* 579-byte string literal not displayed */
	ELBStatusCode          *int               `` /* 127-byte string literal not displayed */
	TargetStatusCode       *int               `` /* 202-byte string literal not displayed */
	ReceivedBytes          *int               `` /* 257-byte string literal not displayed */
	SentBytes              *int               `` /* 232-byte string literal not displayed */
	RequestHTTPMethod      *string            `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."`
	RequestURL             *string            `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."`
	RequestHTTPVersion     *string            `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."`
	UserAgent              *string            `` /* 243-byte string literal not displayed */
	SSLCipher              *string            `` /* 141-byte string literal not displayed */
	SSLProtocol            *string            `` /* 145-byte string literal not displayed */
	TargetGroupARN         *string            `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."`
	TraceID                *string            `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."`
	DomainName             *string            `` /* 280-byte string literal not displayed */
	ChosenCertARN          *string            `` /* 243-byte string literal not displayed */
	MatchedRulePriority    *int               `` /* 338-byte string literal not displayed */
	RequestCreationTime    *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."`
	ActionsExecuted        []string           `` /* 270-byte string literal not displayed */
	RedirectURL            *string            `` /* 181-byte string literal not displayed */
	ErrorReason            *string            `` /* 278-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type ALBParser

type ALBParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

ALBParser parses AWS Application Load Balancer logs

func (*ALBParser) LogType

func (p *ALBParser) LogType() string

LogType returns the log type supported by this parser

func (*ALBParser) New added in v0.3.0

func (p *ALBParser) New() parsers.LogParser

func (*ALBParser) Parse

func (p *ALBParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type AWSExtractor added in v0.2.0

type AWSExtractor struct {
	// contains filtered or unexported fields
}

extracts useful AWS features that can be detected generically (w/context)

func NewAWSExtractor added in v0.2.0

func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor

func (*AWSExtractor) Extract added in v0.2.0

func (e *AWSExtractor) Extract(key, value gjson.Result)

type AWSPantherLog added in v0.2.0

type AWSPantherLog struct {
	parsers.PantherLog

	PantherAnyAWSAccountIds  parsers.PantherAnyString `` /* 131-byte string literal not displayed */
	PantherAnyAWSInstanceIds parsers.PantherAnyString `` /* 133-byte string literal not displayed */
	PantherAnyAWSARNs        parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"`
	PantherAnyAWSTags        parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"`
}

nolint(lll)

func (*AWSPantherLog) AppendAnyAWSARNPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSARNs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)

func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSAccountIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSInstanceIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSTagPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSTags added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)

NOTE: value should be of the form <key>:<value>

type AuroraMySQLAudit

type AuroraMySQLAudit struct {
	Timestamp    *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."`
	ServerHost   *string            `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."`
	Username     *string            `json:"username,omitempty" description:"The connected user name of the user."`
	Host         *string            `json:"host,omitempty" description:"The host that the user connected from."`
	ConnectionID *int               `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."`
	QueryID      *int               `` /* 182-byte string literal not displayed */
	Operation    *string            `` /* 216-byte string literal not displayed */
	Database     *string            `json:"database,omitempty" description:"The active database, as set by the USE command."`
	Object       *string            `` /* 143-byte string literal not displayed */
	RetCode      *int               `json:"retCode,omitempty" description:"The return code of the logged operation."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type AuroraMySQLAuditParser

type AuroraMySQLAuditParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs

func (*AuroraMySQLAuditParser) LogType

func (p *AuroraMySQLAuditParser) LogType() string

LogType returns the log type supported by this parser

func (*AuroraMySQLAuditParser) New added in v0.3.0

func (*AuroraMySQLAuditParser) Parse

Parse returns the parsed events or nil if parsing failed

type CloudTrail

type CloudTrail struct {
	AdditionalEventData pantherlog.RawMessage   `json:"additionalEventData" description:"Additional data about the event that was not part of the request or response."`
	APIVersion          pantherlog.String       `json:"apiVersion" description:"Identifies the API version associated with the AwsApiCall eventType value."`
	AWSRegion           pantherlog.String       `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
	ErrorCode           pantherlog.String       `json:"errorCode" description:"The AWS service error if the request returns an error."`
	ErrorMessage        pantherlog.String       `` /* 236-byte string literal not displayed */
	EventID             pantherlog.String       `` /* 259-byte string literal not displayed */
	EventName           pantherlog.String       `` /* 129-byte string literal not displayed */
	EventSource         pantherlog.String       `` /* 186-byte string literal not displayed */
	EventTime           pantherlog.Time         `` /* 162-byte string literal not displayed */
	EventType           pantherlog.String       `` /* 203-byte string literal not displayed */
	EventVersion        pantherlog.String       `json:"eventVersion" validate:"required" description:"The version of the log event format."`
	ManagementEvent     pantherlog.Bool         `` /* 297-byte string literal not displayed */
	ReadOnly            pantherlog.Bool         `json:"readOnly" description:"Identifies whether this operation is a read-only operation."`
	RecipientAccountID  pantherlog.String       `` /* 293-byte string literal not displayed */
	RequestID           pantherlog.String       `json:"requestID" description:"The value that identifies the request. The service being called generates this value."`
	RequestParameters   pantherlog.RawMessage   `` /* 195-byte string literal not displayed */
	Resources           []CloudTrailResources   `json:"resources" description:"A list of resources accessed in the event."`
	ResponseElements    pantherlog.RawMessage   `` /* 331-byte string literal not displayed */
	ServiceEventDetails pantherlog.RawMessage   `json:"serviceEventDetails" description:"Identifies the service event, including what triggered the event and the result."`
	SharedEventID       pantherlog.String       `` /* 167-byte string literal not displayed */
	SourceIPAddress     pantherlog.String       `` /* 318-byte string literal not displayed */
	UserAgent           pantherlog.String       `` /* 157-byte string literal not displayed */
	UserIdentity        *CloudTrailUserIdentity `json:"userIdentity" validate:"required" description:"Information about the user that made a request."`
	VPCEndpointID       pantherlog.String       `` /* 144-byte string literal not displayed */
}

CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll

func (*CloudTrail) WriteValuesTo added in v1.13.0

func (event *CloudTrail) WriteValuesTo(w pantherlog.ValueWriter)

type CloudTrailDigest added in v1.2.0

type CloudTrailDigest struct {
	AWSAccountID                pantherlog.String         `` /* 143-byte string literal not displayed */
	DigestStartTime             pantherlog.Time           `` /* 215-byte string literal not displayed */
	DigestEndTime               pantherlog.Time           `` /* 229-byte string literal not displayed */
	DigestS3Bucket              pantherlog.String         `` /* 141-byte string literal not displayed */
	DigestS3Object              pantherlog.String         `` /* 149-byte string literal not displayed */
	NewestEventTime             pantherlog.Time           `` /* 147-byte string literal not displayed */
	OldestEventTime             pantherlog.Time           `` /* 143-byte string literal not displayed */
	PreviousDigestS3Bucket      pantherlog.String         `json:"previousDigestS3Bucket" description:"The Amazon S3 bucket to which the previous digest file was delivered."`
	PreviousDigestS3Object      pantherlog.String         `` /* 138-byte string literal not displayed */
	PreviousDigestHashValue     pantherlog.String         `` /* 154-byte string literal not displayed */
	PreviousDigestHashAlgorithm pantherlog.String         `` /* 127-byte string literal not displayed */
	PreviousDigestSignature     pantherlog.String         `json:"previousDigestSignature" description:"The hexadecimal encoded signature of the previous digest file."`
	DigestPublicKeyFingerprint  pantherlog.String         `` /* 181-byte string literal not displayed */
	DigestSignatureAlgorithm    pantherlog.String         `json:"digestSignatureAlgorithm" validate:"required" description:"The algorithm used to sign the digest file."`
	LogFiles                    []CloudTrailDigestLogFile `json:"logFiles" validate:"required,min=0" description:"Log files delivered in this digest"`
}

nolint:lll

type CloudTrailDigestLogFile added in v1.2.0

type CloudTrailDigestLogFile struct {
	S3Bucket        pantherlog.String `json:"s3Bucket" validate:"required" description:"The name of the Amazon S3 bucket for the log file."`
	S3Object        pantherlog.String `json:"s3Object" validate:"required" description:"The Amazon S3 object key of the current log file."`
	HashValue       pantherlog.String `` /* 140-byte string literal not displayed */
	HashAlgorithm   pantherlog.String `json:"hashAlgorithm" validate:"required" description:"The hash algorithm used to hash the log file."`
	NewestEventTime pantherlog.Time   `` /* 145-byte string literal not displayed */
	OldestEventTime pantherlog.Time   `` /* 140-byte string literal not displayed */
}

nolint:lll

type CloudTrailInsight added in v1.1.0

type CloudTrailInsight struct {
	EventVersion       pantherlog.String `json:"eventVersion" validate:"required" description:"The version of the log event format."`
	EventTime          pantherlog.Time   `` /* 162-byte string literal not displayed */
	AWSRegion          pantherlog.String `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
	EventID            pantherlog.String `` /* 259-byte string literal not displayed */
	EventType          pantherlog.String `` /* 227-byte string literal not displayed */
	RecipientAccountID pantherlog.String `` /* 293-byte string literal not displayed */
	SharedEventID      pantherlog.String `` /* 231-byte string literal not displayed */
	InsightDetails     *InsightDetails   `` /* 235-byte string literal not displayed */
	EventCategory      pantherlog.String `` /* 168-byte string literal not displayed */
}

Reference from https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html nolint:lll

type CloudTrailInsightParser added in v1.1.0

type CloudTrailInsightParser struct {
	pantherlog.ResultBuilder
}

func (*CloudTrailInsightParser) ParseLog added in v1.15.0

func (p *CloudTrailInsightParser) ParseLog(log string) ([]*pantherlog.Result, error)

Parse returns the parsed events or nil if parsing failed

type CloudTrailInsightRecords added in v1.1.0

type CloudTrailInsightRecords struct {
	Records []CloudTrailInsight `json:"Records" validate:"required,dive"`
}

nolint:lll

type CloudTrailResources

type CloudTrailResources struct {
	ARN       pantherlog.String `json:"arn" panther:"aws_arn"`
	AccountID pantherlog.String `json:"accountId" panther:"aws_account_id"`
	Type      pantherlog.String `json:"type"`
}

CloudTrailResources are the AWS resources used in the API call.

type CloudTrailSessionContext

type CloudTrailSessionContext struct {
	Attributes          *CloudTrailSessionContextAttributes          `json:"attributes"`
	SessionIssuer       *CloudTrailSessionContextSessionIssuer       `json:"sessionIssuer"`
	WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData"`
}

CloudTrailSessionContext provides information about a session created for temporary credentials.

type CloudTrailSessionContextAttributes

type CloudTrailSessionContextAttributes struct {
	MfaAuthenticated pantherlog.String `json:"mfaAuthenticated"`
	CreationDate     pantherlog.String `json:"creationDate"`
}

CloudTrailSessionContextAttributes contains the attributes of the Session context object

type CloudTrailSessionContextSessionIssuer

type CloudTrailSessionContextSessionIssuer struct {
	Type        pantherlog.String `json:"type"`
	PrincipalID pantherlog.String `json:"principalId"`
	Arn         pantherlog.String `json:"arn" panther:"aws_arn"`
	AccountID   pantherlog.String `json:"accountId" panther:"aws_account_id"`
	Username    pantherlog.String `json:"userName"`
}

CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer

type CloudTrailSessionContextWebIDFederationData

type CloudTrailSessionContextWebIDFederationData struct {
	FederatedProvider pantherlog.String     `json:"federatedProvider"`
	Attributes        pantherlog.RawMessage `json:"attributes"`
}

CloudTrailSessionContextWebIDFederationData contains Web ID federation data

func (*CloudTrailSessionContextWebIDFederationData) WriteValuesTo added in v1.13.0

type CloudTrailUserIdentity

type CloudTrailUserIdentity struct {
	Type             pantherlog.String         `json:"type"`
	PrincipalID      pantherlog.String         `json:"principalId"`
	ARN              pantherlog.String         `json:"arn" panther:"aws_arn"`
	AccountID        pantherlog.String         `json:"accountId" panther:"aws_account_id"`
	AccessKeyID      pantherlog.String         `json:"accessKeyId"`
	Username         pantherlog.String         `json:"userName"`
	SessionContext   *CloudTrailSessionContext `json:"sessionContext"`
	InvokedBy        pantherlog.String         `json:"invokedBy"`
	IdentityProvider pantherlog.String         `json:"identityProvider"`
}

CloudTrailUserIdentity contains details about the type of IAM identity that made the request.

type CloudWatchEvent added in v1.6.0

type CloudWatchEvent struct {
	ID         *string              `` /* 184-byte string literal not displayed */
	Account    *string              `json:"account" validate:"required" description:"The 12-digit number identifying an AWS account."`
	Source     *string              `` /* 315-byte string literal not displayed */
	Resources  []string             `` /* 419-byte string literal not displayed */
	Region     *string              `json:"region" validate:"required" description:"Identifies the AWS region where the event originated."`
	DetailType *string              `` /* 157-byte string literal not displayed */
	Version    *string              `json:"version" validate:"required" description:"By default, this is set to 0 (zero) in all events."`
	Time       *timestamp.RFC3339   `` /* 294-byte string literal not displayed */
	Detail     *jsoniter.RawMessage `` /* 298-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type CloudWatchEventParser added in v1.6.0

type CloudWatchEventParser struct{}

CloudWatchEventParser parses AWS Cloudwatch Events

func (*CloudWatchEventParser) LogType added in v1.6.0

func (p *CloudWatchEventParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudWatchEventParser) New added in v1.6.0

func (*CloudWatchEventParser) Parse added in v1.6.0

func (p *CloudWatchEventParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type DNSAnswer added in v1.15.0

type DNSAnswer struct {
	Rdata pantherlog.String `` /* 238-byte string literal not displayed */
	Type  pantherlog.String `` /* 157-byte string literal not displayed */
	Class pantherlog.String `json:"Class" validate:"required" description:"The class of the Resolver response to the query."`
}

nolint:lll

func (*DNSAnswer) WriteValuesTo added in v1.15.0

func (answer *DNSAnswer) WriteValuesTo(w pantherlog.ValueWriter)

type DNSSrcID added in v1.15.0

type DNSSrcID struct {
	InstanceID       pantherlog.String `json:"instance"  panther:"aws_instance_id" description:"The ID of the instance that the query originated from."`
	ResolverEndpoint pantherlog.String `json:"resolver-endpoint" description:"The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers."`
}

nolint:lll

type GuardDuty

type GuardDuty struct {
	SchemaVersion *string              `json:"schemaVersion" validate:"required" description:"The schema format version of this record."`
	AccountID     *string              `` /* 165-byte string literal not displayed */
	Region        *string              `json:"region" validate:"required" description:"The AWS region in which the finding was generated."`
	Partition     *string              `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."`
	ID            *string              `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."`
	Arn           *string              `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."`
	Type          *string              `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."`
	Resource      *jsoniter.RawMessage `` /* 154-byte string literal not displayed */
	Severity      *float32             `` /* 128-byte string literal not displayed */
	CreatedAt     *timestamp.RFC3339   `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."`
	UpdatedAt     *timestamp.RFC3339   `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."`
	Title         *string              `json:"title" validate:"required" description:"A short description of the finding."`
	Description   *string              `json:"description" validate:"required" description:"A long description of the finding."`
	Service       *GuardDutyService    `json:"service" validate:"required" description:"Additional information about the affected service."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type GuardDutyParser

type GuardDutyParser struct{}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*GuardDutyParser) LogType

func (p *GuardDutyParser) LogType() string

LogType returns the log type supported by this parser

func (*GuardDutyParser) New added in v0.3.0

func (*GuardDutyParser) Parse

func (p *GuardDutyParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type GuardDutyService

type GuardDutyService struct {
	AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo,omitempty"`
	Action         *jsoniter.RawMessage `json:"action,omitempty"`
	ServiceName    *string              `json:"serviceName" validate:"required"`
	DetectorID     *string              `json:"detectorId" validate:"required"`
	ResourceRole   *string              `json:"resourceRole,omitempty"`
	EventFirstSeen *timestamp.RFC3339   `json:"eventFirstSeen,omitempty"`
	EventLastSeen  *timestamp.RFC3339   `json:"eventLastSeen,omitempty"`
	Archived       *bool                `json:"archived,omitempty"`
	Count          *int                 `json:"count,omitempty"`
}

type InsightAverage added in v1.1.0

type InsightAverage struct {
	Average pantherlog.Float64 `json:"average,omitempty" description:"Average value for the insight metric"`
}

nolint:lll

type InsightContext added in v1.1.0

type InsightContext struct {
	Statistics *InsightStatistics `` /* 232-byte string literal not displayed */
}

nolint:lll

type InsightDetails added in v1.1.0

type InsightDetails struct {
	State          pantherlog.String `` /* 179-byte string literal not displayed */
	EventSource    pantherlog.String `json:"eventSource" validate:"required" description:"The AWS API for which unusual activity was detected."`
	EventName      pantherlog.String `json:"eventName" validate:"required" description:"The AWS API for which unusual activity was detected."`
	InsightType    pantherlog.String `json:"insightType" validate:"required" description:"The type of Insights event. Value is ApiCallRateInsight. "`
	InsightContext *InsightContext   `` /* 167-byte string literal not displayed */
}

nolint:lll

type InsightStatistics added in v1.1.0

type InsightStatistics struct {
	Baseline        *InsightAverage    `` /* 132-byte string literal not displayed */
	Insight         *InsightAverage    `` /* 127-byte string literal not displayed */
	InsightDuration pantherlog.Float32 `` /* 219-byte string literal not displayed */
}

nolint:lll

type S3ServerAccess

type S3ServerAccess struct {
	BucketOwner        *string            `` /* 196-byte string literal not displayed */
	Bucket             *string            `` /* 230-byte string literal not displayed */
	Time               *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."`
	RemoteIP           *string            `` /* 190-byte string literal not displayed */
	Requester          *string            `` /* 329-byte string literal not displayed */
	RequestID          *string            `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."`
	Operation          *string            `` /* 188-byte string literal not displayed */
	Key                *string            `` /* 132-byte string literal not displayed */
	RequestURI         *string            `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."`
	HTTPStatus         *int               `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."`
	ErrorCode          *string            `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."`
	BytesSent          *int               `` /* 126-byte string literal not displayed */
	ObjectSize         *int               `json:"objectsize,omitempty" description:"The total size of the object in question."`
	TotalTime          *int               `` /* 330-byte string literal not displayed */
	TurnAroundTime     *int               `` /* 254-byte string literal not displayed */
	Referrer           *string            `` /* 223-byte string literal not displayed */
	UserAgent          *string            `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."`
	VersionID          *string            `` /* 133-byte string literal not displayed */
	HostID             *string            `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."`
	SignatureVersion   *string            `` /* 166-byte string literal not displayed */
	CipherSuite        *string            `` /* 136-byte string literal not displayed */
	AuthenticationType *string            `` /* 213-byte string literal not displayed */
	HostHeader         *string            `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."`
	TLSVersion         *string            `` /* 194-byte string literal not displayed */
	AdditionalFields   []string           `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type S3ServerAccessParser

type S3ServerAccessParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

S3ServerAccessParser parses AWS S3 Server Access logs

func (*S3ServerAccessParser) LogType

func (p *S3ServerAccessParser) LogType() string

LogType returns the log type supported by this parser

func (*S3ServerAccessParser) New added in v0.3.0

func (*S3ServerAccessParser) Parse

func (p *S3ServerAccessParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type VPCDns added in v1.15.0

type VPCDns struct {
	Version        pantherlog.String `` /* 189-byte string literal not displayed */
	AccountID      pantherlog.String `json:"account_id" validate:"required" panther:"aws_account_id" description:"The ID of the AWS account that created the VPC."`
	Region         pantherlog.String `json:"region" validate:"required" description:"The AWS Region that you created the VPC in."`
	VPCID          pantherlog.String `json:"vpc_id" validate:"required" description:"The ID of the VPC that the query originated in."`
	QueryTimestamp pantherlog.Time   `` /* 195-byte string literal not displayed */
	QueryName      pantherlog.String `` /* 150-byte string literal not displayed */
	QueryType      pantherlog.String `` /* 177-byte string literal not displayed */
	QueryClass     pantherlog.String `json:"query_class" validate:"required" description:"The class of the query."`
	Rcode          pantherlog.String `` /* 422-byte string literal not displayed */
	Answers        []DNSAnswer       `json:"answers" validate:"required" description:"Answers to the query"`
	SrcAddr        pantherlog.String `json:"srcaddr" validate:"required" panther:"ip" description:"The IP address of the instance that the query originated from."`
	SrcPort        pantherlog.String `json:"srcport" validate:"required"  description:"The port on the instance that the query originated from."`
	Transport      pantherlog.String `json:"transport" validate:"required"  description:"The protocol used to submit the DNS query."`
	SrcIDs         DNSSrcID          `` /* 128-byte string literal not displayed */
}

nolint:lll

func (*VPCDns) WriteValuesTo added in v1.15.0

func (vpcdns *VPCDns) WriteValuesTo(w pantherlog.ValueWriter)

type VPCFlow

type VPCFlow struct {
	Version     *int               `` /* 165-byte string literal not displayed */
	AccountID   *string            `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."`
	InterfaceID *string            `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."`
	SrcAddr     *string            `` /* 258-byte string literal not displayed */
	DstAddr     *string            `` /* 262-byte string literal not displayed */
	SrcPort     *int               `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."`
	DstPort     *int               `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."`
	Protocol    *int               `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."`
	Packets     *int               `json:"packets,omitempty" description:"The number of packets transferred during the flow."`
	Bytes       *int               `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."`
	Start       *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."`
	End         *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."`
	Action      *string            `` /* 296-byte string literal not displayed */
	LogStatus   *string            `` /* 413-byte string literal not displayed */

	// extended custom fields
	VpcID         *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."`
	SubNetID      *string `` /* 131-byte string literal not displayed */
	InstanceID    *string `` /* 291-byte string literal not displayed */
	TCPFlags      *int    `` /* 379-byte string literal not displayed */
	Type          *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."`
	PacketSrcAddr *string `` /* 518-byte string literal not displayed */
	PacketDstAddr *string `` /* 526-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type VPCFlowParser

type VPCFlowParser struct {
	CSVReader *csvstream.StreamingCSVReader
	// contains filtered or unexported fields
}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*VPCFlowParser) LogType

func (p *VPCFlowParser) LogType() string

LogType returns the log type supported by this parser

func (*VPCFlowParser) New added in v0.3.0

func (p *VPCFlowParser) New() parsers.LogParser

func (*VPCFlowParser) Parse

func (p *VPCFlowParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL