Documentation ¶
Overview ¶
Package awslogs defines parsers and log types for AWS logs.
Index ¶
- Constants
- func LogTypes() logtypes.Group
- type ALB
- type ALBParser
- type AWSExtractor
- type AWSPantherLog
- func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
- type AuroraMySQLAudit
- type AuroraMySQLAuditParser
- type CloudTrail
- type CloudTrailDigest
- type CloudTrailDigestLogFile
- type CloudTrailInsight
- type CloudTrailInsightParser
- type CloudTrailInsightRecords
- type CloudTrailResources
- type CloudTrailSessionContext
- type CloudTrailSessionContextAttributes
- type CloudTrailSessionContextSessionIssuer
- type CloudTrailSessionContextWebIDFederationData
- type CloudTrailUserIdentity
- type CloudWatchEvent
- type CloudWatchEventParser
- type DNSAnswer
- type DNSSrcID
- type GuardDuty
- type GuardDutyParser
- type GuardDutyService
- type InsightAverage
- type InsightContext
- type InsightDetails
- type InsightStatistics
- type S3ServerAccess
- type S3ServerAccessParser
- type VPCDns
- type VPCFlow
- type VPCFlowParser
Constants ¶
const ( TypeALB = "AWS.ALB" TypeAuroraMySQLAudit = `AWS.AuroraMySQLAudit` TypeCloudTrail = `AWS.CloudTrail` TypeCloudTrailDigest = "AWS.CloudTrailDigest" TypeCloudTrailInsight = "AWS.CloudTrailInsight" TypeCloudWatchEvents = "AWS.CloudWatchEvents" TypeGuardDuty = "AWS.GuardDuty" TypeS3ServerAccess = "AWS.S3ServerAccess" TypeVPCDns = "AWS.VPCDns" TypeVPCFlow = "AWS.VPCFlow" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ALB ¶
type ALB struct { Type *string `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."` Timestamp *timestamp.RFC3339 `` /* 198-byte string literal not displayed */ ELB *string `` /* 168-byte string literal not displayed */ ClientIP *string `json:"clientIp,omitempty" description:"The IP address of the requesting client."` ClientPort *int `json:"clientPort,omitempty" description:"The port of the requesting client."` TargetIP *string `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."` TargetPort *int `json:"targetPort,omitempty" description:"The port of the target that processed this request."` RequestProcessingTime *float64 `` /* 513-byte string literal not displayed */ TargetProcessingTime *float64 `` /* 536-byte string literal not displayed */ ResponseProcessingTime *float64 `` /* 579-byte string literal not displayed */ ELBStatusCode *int `` /* 127-byte string literal not displayed */ TargetStatusCode *int `` /* 202-byte string literal not displayed */ ReceivedBytes *int `` /* 257-byte string literal not displayed */ SentBytes *int `` /* 232-byte string literal not displayed */ RequestHTTPMethod *string `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."` RequestURL *string `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."` RequestHTTPVersion *string `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."` UserAgent *string `` /* 243-byte string literal not displayed */ SSLCipher *string `` /* 141-byte string literal not displayed */ SSLProtocol *string `` /* 145-byte string literal not displayed */ TargetGroupARN *string `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."` TraceID *string `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."` DomainName *string `` /* 280-byte string literal not displayed */ ChosenCertARN *string `` /* 243-byte string literal not displayed */ MatchedRulePriority *int `` /* 338-byte string literal not displayed */ RequestCreationTime *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."` ActionsExecuted []string `` /* 270-byte string literal not displayed */ RedirectURL *string `` /* 181-byte string literal not displayed */ ErrorReason *string `` /* 278-byte string literal not displayed */ // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type ALBParser ¶
type ALBParser struct {
CSVReader *csvstream.StreamingCSVReader
}
ALBParser parses AWS Application Load Balancer logs
type AWSExtractor ¶ added in v0.2.0
type AWSExtractor struct {
// contains filtered or unexported fields
}
extracts useful AWS features that can be detected generically (w/context)
func NewAWSExtractor ¶ added in v0.2.0
func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor
func (*AWSExtractor) Extract ¶ added in v0.2.0
func (e *AWSExtractor) Extract(key, value gjson.Result)
type AWSPantherLog ¶ added in v0.2.0
type AWSPantherLog struct { parsers.PantherLog PantherAnyAWSAccountIds parsers.PantherAnyString `` /* 131-byte string literal not displayed */ PantherAnyAWSInstanceIds parsers.PantherAnyString `` /* 133-byte string literal not displayed */ PantherAnyAWSARNs parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"` PantherAnyAWSTags parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"` }
nolint(lll)
func (*AWSPantherLog) AppendAnyAWSARNPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSARNs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSAccountIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSInstanceIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSTagPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSTags ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
NOTE: value should be of the form <key>:<value>
type AuroraMySQLAudit ¶
type AuroraMySQLAudit struct { Timestamp *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."` ServerHost *string `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."` Username *string `json:"username,omitempty" description:"The connected user name of the user."` Host *string `json:"host,omitempty" description:"The host that the user connected from."` ConnectionID *int `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."` QueryID *int `` /* 182-byte string literal not displayed */ Operation *string `` /* 216-byte string literal not displayed */ Database *string `json:"database,omitempty" description:"The active database, as set by the USE command."` Object *string `` /* 143-byte string literal not displayed */ RetCode *int `json:"retCode,omitempty" description:"The return code of the logged operation."` // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type AuroraMySQLAuditParser ¶
type AuroraMySQLAuditParser struct {
CSVReader *csvstream.StreamingCSVReader
}
AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs
func (*AuroraMySQLAuditParser) LogType ¶
func (p *AuroraMySQLAuditParser) LogType() string
LogType returns the log type supported by this parser
func (*AuroraMySQLAuditParser) New ¶ added in v0.3.0
func (p *AuroraMySQLAuditParser) New() parsers.LogParser
func (*AuroraMySQLAuditParser) Parse ¶
func (p *AuroraMySQLAuditParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type CloudTrail ¶
type CloudTrail struct { AdditionalEventData pantherlog.RawMessage `json:"additionalEventData" description:"Additional data about the event that was not part of the request or response."` APIVersion pantherlog.String `json:"apiVersion" description:"Identifies the API version associated with the AwsApiCall eventType value."` AWSRegion pantherlog.String `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."` ErrorCode pantherlog.String `json:"errorCode" description:"The AWS service error if the request returns an error."` ErrorMessage pantherlog.String `` /* 236-byte string literal not displayed */ EventID pantherlog.String `` /* 259-byte string literal not displayed */ EventName pantherlog.String `` /* 129-byte string literal not displayed */ EventSource pantherlog.String `` /* 186-byte string literal not displayed */ EventTime pantherlog.Time `` /* 162-byte string literal not displayed */ EventType pantherlog.String `` /* 203-byte string literal not displayed */ EventVersion pantherlog.String `json:"eventVersion" validate:"required" description:"The version of the log event format."` ManagementEvent pantherlog.Bool `` /* 297-byte string literal not displayed */ ReadOnly pantherlog.Bool `json:"readOnly" description:"Identifies whether this operation is a read-only operation."` RecipientAccountID pantherlog.String `` /* 293-byte string literal not displayed */ RequestID pantherlog.String `json:"requestID" description:"The value that identifies the request. The service being called generates this value."` RequestParameters pantherlog.RawMessage `` /* 195-byte string literal not displayed */ Resources []CloudTrailResources `json:"resources" description:"A list of resources accessed in the event."` ResponseElements pantherlog.RawMessage `` /* 331-byte string literal not displayed */ ServiceEventDetails pantherlog.RawMessage `json:"serviceEventDetails" description:"Identifies the service event, including what triggered the event and the result."` SourceIPAddress pantherlog.String `` /* 318-byte string literal not displayed */ UserAgent pantherlog.String `` /* 157-byte string literal not displayed */ UserIdentity *CloudTrailUserIdentity `json:"userIdentity" validate:"required" description:"Information about the user that made a request."` VPCEndpointID pantherlog.String `` /* 144-byte string literal not displayed */ }
CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll
func (*CloudTrail) WriteValuesTo ¶ added in v1.13.0
func (event *CloudTrail) WriteValuesTo(w pantherlog.ValueWriter)
type CloudTrailDigest ¶ added in v1.2.0
type CloudTrailDigest struct { AWSAccountID pantherlog.String `` /* 143-byte string literal not displayed */ DigestStartTime pantherlog.Time `` /* 215-byte string literal not displayed */ DigestEndTime pantherlog.Time `` /* 229-byte string literal not displayed */ DigestS3Bucket pantherlog.String `` /* 141-byte string literal not displayed */ DigestS3Object pantherlog.String `` /* 149-byte string literal not displayed */ NewestEventTime pantherlog.Time `` /* 147-byte string literal not displayed */ OldestEventTime pantherlog.Time `` /* 143-byte string literal not displayed */ PreviousDigestS3Bucket pantherlog.String `json:"previousDigestS3Bucket" description:"The Amazon S3 bucket to which the previous digest file was delivered."` PreviousDigestS3Object pantherlog.String `` /* 138-byte string literal not displayed */ PreviousDigestHashValue pantherlog.String `` /* 154-byte string literal not displayed */ PreviousDigestHashAlgorithm pantherlog.String `` /* 127-byte string literal not displayed */ PreviousDigestSignature pantherlog.String `json:"previousDigestSignature" description:"The hexadecimal encoded signature of the previous digest file."` DigestPublicKeyFingerprint pantherlog.String `` /* 181-byte string literal not displayed */ DigestSignatureAlgorithm pantherlog.String `json:"digestSignatureAlgorithm" validate:"required" description:"The algorithm used to sign the digest file."` LogFiles []CloudTrailDigestLogFile `json:"logFiles" validate:"required,min=0" description:"Log files delivered in this digest"` }
nolint:lll
type CloudTrailDigestLogFile ¶ added in v1.2.0
type CloudTrailDigestLogFile struct { S3Bucket pantherlog.String `json:"s3Bucket" validate:"required" description:"The name of the Amazon S3 bucket for the log file."` S3Object pantherlog.String `json:"s3Object" validate:"required" description:"The Amazon S3 object key of the current log file."` HashValue pantherlog.String `` /* 140-byte string literal not displayed */ HashAlgorithm pantherlog.String `json:"hashAlgorithm" validate:"required" description:"The hash algorithm used to hash the log file."` NewestEventTime pantherlog.Time `` /* 145-byte string literal not displayed */ OldestEventTime pantherlog.Time `` /* 140-byte string literal not displayed */ }
nolint:lll
type CloudTrailInsight ¶ added in v1.1.0
type CloudTrailInsight struct { EventVersion pantherlog.String `json:"eventVersion" validate:"required" description:"The version of the log event format."` EventTime pantherlog.Time `` /* 162-byte string literal not displayed */ AWSRegion pantherlog.String `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."` EventID pantherlog.String `` /* 259-byte string literal not displayed */ EventType pantherlog.String `` /* 227-byte string literal not displayed */ RecipientAccountID pantherlog.String `` /* 293-byte string literal not displayed */ InsightDetails *InsightDetails `` /* 235-byte string literal not displayed */ EventCategory pantherlog.String `` /* 168-byte string literal not displayed */ }
Reference from https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html nolint:lll
type CloudTrailInsightParser ¶ added in v1.1.0
type CloudTrailInsightParser struct {
pantherlog.ResultBuilder
}
func (*CloudTrailInsightParser) ParseLog ¶ added in v1.15.0
func (p *CloudTrailInsightParser) ParseLog(log string) ([]*pantherlog.Result, error)
Parse returns the parsed events or nil if parsing failed
type CloudTrailInsightRecords ¶ added in v1.1.0
type CloudTrailInsightRecords struct {
Records []CloudTrailInsight `json:"Records" validate:"required,dive"`
}
nolint:lll
type CloudTrailResources ¶
type CloudTrailResources struct { ARN pantherlog.String `json:"arn" panther:"aws_arn"` AccountID pantherlog.String `json:"accountId" panther:"aws_account_id"` Type pantherlog.String `json:"type"` }
CloudTrailResources are the AWS resources used in the API call.
type CloudTrailSessionContext ¶
type CloudTrailSessionContext struct { Attributes *CloudTrailSessionContextAttributes `json:"attributes"` SessionIssuer *CloudTrailSessionContextSessionIssuer `json:"sessionIssuer"` WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData"` }
CloudTrailSessionContext provides information about a session created for temporary credentials.
type CloudTrailSessionContextAttributes ¶
type CloudTrailSessionContextAttributes struct { MfaAuthenticated pantherlog.String `json:"mfaAuthenticated"` CreationDate pantherlog.String `json:"creationDate"` }
CloudTrailSessionContextAttributes contains the attributes of the Session context object
type CloudTrailSessionContextSessionIssuer ¶
type CloudTrailSessionContextSessionIssuer struct { Type pantherlog.String `json:"type"` PrincipalID pantherlog.String `json:"principalId"` Arn pantherlog.String `json:"arn" panther:"aws_arn"` AccountID pantherlog.String `json:"accountId" panther:"aws_account_id"` Username pantherlog.String `json:"userName"` }
CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer
type CloudTrailSessionContextWebIDFederationData ¶
type CloudTrailSessionContextWebIDFederationData struct { FederatedProvider pantherlog.String `json:"federatedProvider"` Attributes pantherlog.RawMessage `json:"attributes"` }
CloudTrailSessionContextWebIDFederationData contains Web ID federation data
func (*CloudTrailSessionContextWebIDFederationData) WriteValuesTo ¶ added in v1.13.0
func (d *CloudTrailSessionContextWebIDFederationData) WriteValuesTo(w pantherlog.ValueWriter)
type CloudTrailUserIdentity ¶
type CloudTrailUserIdentity struct { Type pantherlog.String `json:"type"` PrincipalID pantherlog.String `json:"principalId"` ARN pantherlog.String `json:"arn" panther:"aws_arn"` AccountID pantherlog.String `json:"accountId" panther:"aws_account_id"` AccessKeyID pantherlog.String `json:"accessKeyId"` Username pantherlog.String `json:"userName"` SessionContext *CloudTrailSessionContext `json:"sessionContext"` InvokedBy pantherlog.String `json:"invokedBy"` IdentityProvider pantherlog.String `json:"identityProvider"` }
CloudTrailUserIdentity contains details about the type of IAM identity that made the request.
type CloudWatchEvent ¶ added in v1.6.0
type CloudWatchEvent struct { ID *string `` /* 184-byte string literal not displayed */ Account *string `json:"account" validate:"required" description:"The 12-digit number identifying an AWS account."` Source *string `` /* 315-byte string literal not displayed */ Resources []string `` /* 419-byte string literal not displayed */ Region *string `json:"region" validate:"required" description:"Identifies the AWS region where the event originated."` DetailType *string `` /* 157-byte string literal not displayed */ Version *string `json:"version" validate:"required" description:"By default, this is set to 0 (zero) in all events."` Time *timestamp.RFC3339 `` /* 294-byte string literal not displayed */ Detail *jsoniter.RawMessage `` /* 298-byte string literal not displayed */ // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type CloudWatchEventParser ¶ added in v1.6.0
type CloudWatchEventParser struct{}
CloudWatchEventParser parses AWS Cloudwatch Events
func (*CloudWatchEventParser) LogType ¶ added in v1.6.0
func (p *CloudWatchEventParser) LogType() string
LogType returns the log type supported by this parser
func (*CloudWatchEventParser) New ¶ added in v1.6.0
func (p *CloudWatchEventParser) New() parsers.LogParser
func (*CloudWatchEventParser) Parse ¶ added in v1.6.0
func (p *CloudWatchEventParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type DNSAnswer ¶ added in v1.15.0
type DNSAnswer struct { Rdata pantherlog.String `` /* 238-byte string literal not displayed */ Type pantherlog.String `` /* 157-byte string literal not displayed */ Class pantherlog.String `json:"Class" validate:"required" description:"The class of the Resolver response to the query."` }
nolint:lll
func (*DNSAnswer) WriteValuesTo ¶ added in v1.15.0
func (answer *DNSAnswer) WriteValuesTo(w pantherlog.ValueWriter)
type DNSSrcID ¶ added in v1.15.0
type DNSSrcID struct { InstanceID pantherlog.String `json:"instance" panther:"aws_instance_id" description:"The ID of the instance that the query originated from."` ResolverEndpoint pantherlog.String `json:"resolver-endpoint" description:"The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers."` }
nolint:lll
type GuardDuty ¶
type GuardDuty struct { SchemaVersion *string `json:"schemaVersion" validate:"required" description:"The schema format version of this record."` AccountID *string `` /* 165-byte string literal not displayed */ Region *string `json:"region" validate:"required" description:"The AWS region in which the finding was generated."` Partition *string `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."` ID *string `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."` Arn *string `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."` Type *string `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."` Resource *jsoniter.RawMessage `` /* 154-byte string literal not displayed */ Severity *float32 `` /* 128-byte string literal not displayed */ CreatedAt *timestamp.RFC3339 `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."` UpdatedAt *timestamp.RFC3339 `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."` Title *string `json:"title" validate:"required" description:"A short description of the finding."` Description *string `json:"description" validate:"required" description:"A long description of the finding."` Service *GuardDutyService `json:"service" validate:"required" description:"Additional information about the affected service."` // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type GuardDutyParser ¶
type GuardDutyParser struct{}
VPCFlowParser parses AWS VPC Flow Parser logs
func (*GuardDutyParser) LogType ¶
func (p *GuardDutyParser) LogType() string
LogType returns the log type supported by this parser
func (*GuardDutyParser) New ¶ added in v0.3.0
func (p *GuardDutyParser) New() parsers.LogParser
func (*GuardDutyParser) Parse ¶
func (p *GuardDutyParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type GuardDutyService ¶
type GuardDutyService struct { AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo,omitempty"` Action *jsoniter.RawMessage `json:"action,omitempty"` ServiceName *string `json:"serviceName" validate:"required"` DetectorID *string `json:"detectorId" validate:"required"` ResourceRole *string `json:"resourceRole,omitempty"` EventFirstSeen *timestamp.RFC3339 `json:"eventFirstSeen,omitempty"` EventLastSeen *timestamp.RFC3339 `json:"eventLastSeen,omitempty"` Archived *bool `json:"archived,omitempty"` Count *int `json:"count,omitempty"` }
type InsightAverage ¶ added in v1.1.0
type InsightAverage struct {
Average pantherlog.Float64 `json:"average,omitempty" description:"Average value for the insight metric"`
}
nolint:lll
type InsightContext ¶ added in v1.1.0
type InsightContext struct {
Statistics *InsightStatistics `` /* 232-byte string literal not displayed */
}
nolint:lll
type InsightDetails ¶ added in v1.1.0
type InsightDetails struct { State pantherlog.String `` /* 179-byte string literal not displayed */ EventSource pantherlog.String `json:"eventSource" validate:"required" description:"The AWS API for which unusual activity was detected."` EventName pantherlog.String `json:"eventName" validate:"required" description:"The AWS API for which unusual activity was detected."` InsightType pantherlog.String `json:"insightType" validate:"required" description:"The type of Insights event. Value is ApiCallRateInsight. "` InsightContext *InsightContext `` /* 167-byte string literal not displayed */ }
nolint:lll
type InsightStatistics ¶ added in v1.1.0
type InsightStatistics struct { Baseline *InsightAverage `` /* 132-byte string literal not displayed */ Insight *InsightAverage `` /* 127-byte string literal not displayed */ InsightDuration pantherlog.Float32 `` /* 219-byte string literal not displayed */ }
nolint:lll
type S3ServerAccess ¶
type S3ServerAccess struct { BucketOwner *string `` /* 196-byte string literal not displayed */ Bucket *string `` /* 230-byte string literal not displayed */ Time *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."` RemoteIP *string `` /* 190-byte string literal not displayed */ Requester *string `` /* 329-byte string literal not displayed */ RequestID *string `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."` Operation *string `` /* 188-byte string literal not displayed */ Key *string `` /* 132-byte string literal not displayed */ RequestURI *string `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."` HTTPStatus *int `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."` ErrorCode *string `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."` BytesSent *int `` /* 126-byte string literal not displayed */ ObjectSize *int `json:"objectsize,omitempty" description:"The total size of the object in question."` TotalTime *int `` /* 330-byte string literal not displayed */ TurnAroundTime *int `` /* 254-byte string literal not displayed */ Referrer *string `` /* 223-byte string literal not displayed */ UserAgent *string `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."` VersionID *string `` /* 133-byte string literal not displayed */ HostID *string `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."` SignatureVersion *string `` /* 166-byte string literal not displayed */ CipherSuite *string `` /* 136-byte string literal not displayed */ AuthenticationType *string `` /* 213-byte string literal not displayed */ HostHeader *string `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."` TLSVersion *string `` /* 194-byte string literal not displayed */ AdditionalFields []string `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."` // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type S3ServerAccessParser ¶
type S3ServerAccessParser struct {
CSVReader *csvstream.StreamingCSVReader
}
S3ServerAccessParser parses AWS S3 Server Access logs
func (*S3ServerAccessParser) LogType ¶
func (p *S3ServerAccessParser) LogType() string
LogType returns the log type supported by this parser
func (*S3ServerAccessParser) New ¶ added in v0.3.0
func (p *S3ServerAccessParser) New() parsers.LogParser
func (*S3ServerAccessParser) Parse ¶
func (p *S3ServerAccessParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type VPCDns ¶ added in v1.15.0
type VPCDns struct { Version pantherlog.String `` /* 189-byte string literal not displayed */ AccountID pantherlog.String `json:"account_id" validate:"required" panther:"aws_account_id" description:"The ID of the AWS account that created the VPC."` Region pantherlog.String `json:"region" validate:"required" description:"The AWS Region that you created the VPC in."` VPCID pantherlog.String `json:"vpc_id" validate:"required" description:"The ID of the VPC that the query originated in."` QueryTimestamp pantherlog.Time `` /* 195-byte string literal not displayed */ QueryName pantherlog.String `` /* 150-byte string literal not displayed */ QueryType pantherlog.String `` /* 177-byte string literal not displayed */ QueryClass pantherlog.String `json:"query_class" validate:"required" description:"The class of the query."` Rcode pantherlog.String `` /* 422-byte string literal not displayed */ Answers []DNSAnswer `json:"answers" validate:"required" description:"Answers to the query"` SrcAddr pantherlog.String `json:"srcaddr" validate:"required" panther:"ip" description:"The IP address of the instance that the query originated from."` SrcPort pantherlog.String `json:"srcport" validate:"required" description:"The port on the instance that the query originated from."` Transport pantherlog.String `json:"transport" validate:"required" description:"The protocol used to submit the DNS query."` SrcIDs DNSSrcID `` /* 128-byte string literal not displayed */ }
nolint:lll
func (*VPCDns) WriteValuesTo ¶ added in v1.15.0
func (vpcdns *VPCDns) WriteValuesTo(w pantherlog.ValueWriter)
type VPCFlow ¶
type VPCFlow struct { Version *int `` /* 165-byte string literal not displayed */ AccountID *string `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."` InterfaceID *string `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."` SrcAddr *string `` /* 258-byte string literal not displayed */ DstAddr *string `` /* 262-byte string literal not displayed */ SrcPort *int `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."` DstPort *int `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."` Protocol *int `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."` Packets *int `json:"packets,omitempty" description:"The number of packets transferred during the flow."` Bytes *int `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."` Start *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."` End *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."` Action *string `` /* 296-byte string literal not displayed */ LogStatus *string `` /* 413-byte string literal not displayed */ // extended custom fields VpcID *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."` SubNetID *string `` /* 131-byte string literal not displayed */ InstanceID *string `` /* 291-byte string literal not displayed */ TCPFlags *int `` /* 379-byte string literal not displayed */ Type *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."` PacketSrcAddr *string `` /* 518-byte string literal not displayed */ PacketDstAddr *string `` /* 526-byte string literal not displayed */ // NOTE: added to end of struct to allow expansion later AWSPantherLog }
nolint:lll
type VPCFlowParser ¶
type VPCFlowParser struct { CSVReader *csvstream.StreamingCSVReader // contains filtered or unexported fields }
VPCFlowParser parses AWS VPC Flow Parser logs
func (*VPCFlowParser) LogType ¶
func (p *VPCFlowParser) LogType() string
LogType returns the log type supported by this parser
func (*VPCFlowParser) New ¶ added in v0.3.0
func (p *VPCFlowParser) New() parsers.LogParser
func (*VPCFlowParser) Parse ¶
func (p *VPCFlowParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed