awslogs

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 30, 2020 License: AGPL-3.0 Imports: 15 Imported by: 0

Documentation

Overview

Package awslogs defines parsers and log types for AWS logs.

Index

Constants

View Source
const (
	TypeALB               = "AWS.ALB"
	TypeAuroraMySQLAudit  = `AWS.AuroraMySQLAudit`
	TypeCloudTrail        = `AWS.CloudTrail`
	TypeCloudTrailDigest  = "AWS.CloudTrailDigest"
	TypeCloudTrailInsight = "AWS.CloudTrailInsight"
	TypeCloudWatchEvents  = "AWS.CloudWatchEvents"
	TypeGuardDuty         = "AWS.GuardDuty"
	TypeS3ServerAccess    = "AWS.S3ServerAccess"
	TypeVPCFlow           = "AWS.VPCFlow"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ALB

type ALB struct {
	Type                   *string            `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."`
	Timestamp              *timestamp.RFC3339 `` /* 198-byte string literal not displayed */
	ELB                    *string            `` /* 168-byte string literal not displayed */
	ClientIP               *string            `json:"clientIp,omitempty" description:"The IP address of the requesting client."`
	ClientPort             *int               `json:"clientPort,omitempty" description:"The port of the requesting client."`
	TargetIP               *string            `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."`
	TargetPort             *int               `json:"targetPort,omitempty" description:"The port of the target that processed this request."`
	RequestProcessingTime  *float64           `` /* 513-byte string literal not displayed */
	TargetProcessingTime   *float64           `` /* 536-byte string literal not displayed */
	ResponseProcessingTime *float64           `` /* 579-byte string literal not displayed */
	ELBStatusCode          *int               `` /* 127-byte string literal not displayed */
	TargetStatusCode       *int               `` /* 202-byte string literal not displayed */
	ReceivedBytes          *int               `` /* 257-byte string literal not displayed */
	SentBytes              *int               `` /* 232-byte string literal not displayed */
	RequestHTTPMethod      *string            `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."`
	RequestURL             *string            `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."`
	RequestHTTPVersion     *string            `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."`
	UserAgent              *string            `` /* 243-byte string literal not displayed */
	SSLCipher              *string            `` /* 141-byte string literal not displayed */
	SSLProtocol            *string            `` /* 145-byte string literal not displayed */
	TargetGroupARN         *string            `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."`
	TraceID                *string            `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."`
	DomainName             *string            `` /* 280-byte string literal not displayed */
	ChosenCertARN          *string            `` /* 243-byte string literal not displayed */
	MatchedRulePriority    *int               `` /* 338-byte string literal not displayed */
	RequestCreationTime    *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."`
	ActionsExecuted        []string           `` /* 270-byte string literal not displayed */
	RedirectURL            *string            `` /* 181-byte string literal not displayed */
	ErrorReason            *string            `` /* 278-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type ALBParser

type ALBParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

ALBParser parses AWS Application Load Balancer logs

func (*ALBParser) LogType

func (p *ALBParser) LogType() string

LogType returns the log type supported by this parser

func (*ALBParser) New added in v0.3.0

func (p *ALBParser) New() parsers.LogParser

func (*ALBParser) Parse

func (p *ALBParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type AWSExtractor added in v0.2.0

type AWSExtractor struct {
	// contains filtered or unexported fields
}

extracts useful AWS features that can be detected generically (w/context)

func NewAWSExtractor added in v0.2.0

func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor

func (*AWSExtractor) Extract added in v0.2.0

func (e *AWSExtractor) Extract(key, value gjson.Result)

type AWSPantherLog added in v0.2.0

type AWSPantherLog struct {
	parsers.PantherLog

	PantherAnyAWSAccountIds  *parsers.PantherAnyString `` /* 131-byte string literal not displayed */
	PantherAnyAWSInstanceIds *parsers.PantherAnyString `` /* 133-byte string literal not displayed */
	PantherAnyAWSARNs        *parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"`
	PantherAnyAWSTags        *parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"`
}

nolint(lll)

func (*AWSPantherLog) AppendAnyAWSARNPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSARNs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)

func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSAccountIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSInstanceIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSTagPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSTags added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)

NOTE: value should be of the form <key>:<value>

type AuroraMySQLAudit

type AuroraMySQLAudit struct {
	Timestamp    *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."`
	ServerHost   *string            `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."`
	Username     *string            `json:"username,omitempty" description:"The connected user name of the user."`
	Host         *string            `json:"host,omitempty" description:"The host that the user connected from."`
	ConnectionID *int               `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."`
	QueryID      *int               `` /* 182-byte string literal not displayed */
	Operation    *string            `` /* 216-byte string literal not displayed */
	Database     *string            `json:"database,omitempty" description:"The active database, as set by the USE command."`
	Object       *string            `` /* 143-byte string literal not displayed */
	RetCode      *int               `json:"retCode,omitempty" description:"The return code of the logged operation."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type AuroraMySQLAuditParser

type AuroraMySQLAuditParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs

func (*AuroraMySQLAuditParser) LogType

func (p *AuroraMySQLAuditParser) LogType() string

LogType returns the log type supported by this parser

func (*AuroraMySQLAuditParser) New added in v0.3.0

func (*AuroraMySQLAuditParser) Parse

Parse returns the parsed events or nil if parsing failed

type CloudTrail

type CloudTrail struct {
	AdditionalEventData *jsoniter.RawMessage    `` /* 128-byte string literal not displayed */
	APIVersion          *string                 `json:"apiVersion,omitempty" description:"Identifies the API version associated with the AwsApiCall eventType value."`
	AWSRegion           *string                 `json:"awsRegion,omitempty" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
	ErrorCode           *string                 `json:"errorCode,omitempty" description:"The AWS service error if the request returns an error."`
	ErrorMessage        *string                 `` /* 246-byte string literal not displayed */
	EventID             *string                 `` /* 269-byte string literal not displayed */
	EventName           *string                 `` /* 139-byte string literal not displayed */
	EventSource         *string                 `` /* 196-byte string literal not displayed */
	EventTime           *timestamp.RFC3339      `` /* 137-byte string literal not displayed */
	EventType           *string                 `` /* 213-byte string literal not displayed */
	EventVersion        *string                 `json:"eventVersion,omitempty" validate:"required" description:"The version of the log event format."`
	ManagementEvent     *bool                   `` /* 307-byte string literal not displayed */
	ReadOnly            *bool                   `json:"readOnly,omitempty" description:"Identifies whether this operation is a read-only operation."`
	RecipientAccountID  *string                 `` /* 278-byte string literal not displayed */
	RequestID           *string                 `` /* 126-byte string literal not displayed */
	RequestParameters   *jsoniter.RawMessage    `` /* 205-byte string literal not displayed */
	Resources           []CloudTrailResources   `json:"resources,omitempty" description:"A list of resources accessed in the event."`
	ResponseElements    *jsoniter.RawMessage    `` /* 341-byte string literal not displayed */
	ServiceEventDetails *jsoniter.RawMessage    `` /* 131-byte string literal not displayed */
	SharedEventID       *string                 `` /* 177-byte string literal not displayed */
	SourceIPAddress     *string                 `` /* 309-byte string literal not displayed */
	UserAgent           *string                 `` /* 167-byte string literal not displayed */
	UserIdentity        *CloudTrailUserIdentity `json:"userIdentity,omitempty" validate:"required" description:"Information about the user that made a request."`
	VPCEndpointID       *string                 `` /* 154-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll

type CloudTrailDigest added in v1.2.0

type CloudTrailDigest struct {
	AWSAccountID                *string                   `json:"awsAccountId" validate:"required" description:"The AWS account ID for which the digest file has been delivered."`
	DigestStartTime             *timestamp.RFC3339        `` /* 198-byte string literal not displayed */
	DigestEndTime               *timestamp.RFC3339        `` /* 194-byte string literal not displayed */
	DigestS3Bucket              *string                   `` /* 141-byte string literal not displayed */
	DigestS3Object              *string                   `` /* 149-byte string literal not displayed */
	NewestEventTime             *timestamp.RFC3339        `` /* 140-byte string literal not displayed */
	OldestEventTime             *timestamp.RFC3339        `` /* 136-byte string literal not displayed */
	PreviousDigestS3Bucket      *string                   `json:"previousDigestS3Bucket,omitempty" description:"The Amazon S3 bucket to which the previous digest file was delivered."`
	PreviousDigestS3Object      *string                   `` /* 148-byte string literal not displayed */
	PreviousDigestHashValue     *string                   `` /* 147-byte string literal not displayed */
	PreviousDigestHashAlgorithm *string                   `` /* 137-byte string literal not displayed */
	PreviousDigestSignature     *string                   `json:"previousDigestSignature,omitempty" description:"The hexadecimal encoded signature of the previous digest file."`
	DigestPublicKeyFingerprint  *string                   `` /* 181-byte string literal not displayed */
	DigestSignatureAlgorithm    *string                   `json:"digestSignatureAlgorithm" validate:"required" description:"The algorithm used to sign the digest file."`
	LogFiles                    []CloudTrailDigestLogFile `json:"logFiles" validate:"required,min=0" description:"Log files delivered in this digest"`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type CloudTrailDigestLogFile added in v1.2.0

type CloudTrailDigestLogFile struct {
	S3Bucket        *string            `json:"s3Bucket" validate:"required" description:"The name of the Amazon S3 bucket for the log file."`
	S3Object        *string            `json:"s3Object" validate:"required" description:"The Amazon S3 object key of the current log file."`
	HashValue       *string            `json:"hashValue" validate:"required" description:"The hexadecimal encoded hash value of the uncompressed log file content."`
	HashAlgorithm   *string            `json:"hashAlgorithm" validate:"required" description:"The hash algorithm used to hash the log file."`
	NewestEventTime *timestamp.RFC3339 `` /* 128-byte string literal not displayed */
	OldestEventTime *timestamp.RFC3339 `json:"oldestEventTime" validate:"required" description:"The UTC time of the oldest event among the events in the log file."`
}

nolint:lll

type CloudTrailDigestParser added in v1.2.0

type CloudTrailDigestParser struct{}

func (*CloudTrailDigestParser) LogType added in v1.2.0

func (p *CloudTrailDigestParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudTrailDigestParser) New added in v1.2.0

func (*CloudTrailDigestParser) Parse added in v1.2.0

Parse returns the parsed events or nil if parsing failed

type CloudTrailInsight added in v1.1.0

type CloudTrailInsight struct {
	EventVersion       *string            `json:"eventVersion" validate:"required" description:"The version of the log event format."`
	EventTime          *timestamp.RFC3339 `` /* 127-byte string literal not displayed */
	AWSRegion          *string            `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
	EventID            *string            `` /* 259-byte string literal not displayed */
	EventType          *string            `` /* 227-byte string literal not displayed */
	RecipientAccountID *string            `` /* 278-byte string literal not displayed */
	SharedEventID      *string            `` /* 213-byte string literal not displayed */
	InsightDetails     *InsightDetails    `` /* 235-byte string literal not displayed */
	EventCategory      *string            `` /* 168-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

Reference from https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html nolint:lll

type CloudTrailInsightParser added in v1.1.0

type CloudTrailInsightParser struct{}

func (*CloudTrailInsightParser) LogType added in v1.1.0

func (p *CloudTrailInsightParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudTrailInsightParser) New added in v1.1.0

func (*CloudTrailInsightParser) Parse added in v1.1.0

Parse returns the parsed events or nil if parsing failed

type CloudTrailInsightRecords added in v1.1.0

type CloudTrailInsightRecords struct {
	Records []*CloudTrailInsight `json:"Records" validate:"required,dive"`
}

nolint:lll

type CloudTrailParser

type CloudTrailParser struct{}

CloudTrailParser parses CloudTrail logs

func (*CloudTrailParser) LogType

func (p *CloudTrailParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudTrailParser) New added in v0.3.0

func (*CloudTrailParser) Parse

func (p *CloudTrailParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type CloudTrailRecords

type CloudTrailRecords struct {
	Records []*CloudTrail `json:"Records" validate:"required,dive"`
}

type CloudTrailResources

type CloudTrailResources struct {
	ARN       *string `json:"arn"`
	AccountID *string `json:"accountId"`
	Type      *string `json:"type"`
}

CloudTrailResources are the AWS resources used in the API call.

type CloudTrailSessionContext

type CloudTrailSessionContext struct {
	Attributes          *CloudTrailSessionContextAttributes          `json:"attributes,omitempty"`
	SessionIssuer       *CloudTrailSessionContextSessionIssuer       `json:"sessionIssuer,omitempty"`
	WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData,omitempty"`
}

CloudTrailSessionContext provides information about a session created for temporary credentials.

type CloudTrailSessionContextAttributes

type CloudTrailSessionContextAttributes struct {
	MfaAuthenticated *string `json:"mfaAuthenticated,omitempty"`
	CreationDate     *string `json:"creationDate,omitempty"`
}

CloudTrailSessionContextAttributes contains the attributes of the Session context object

type CloudTrailSessionContextSessionIssuer

type CloudTrailSessionContextSessionIssuer struct {
	Type        *string `json:"type,omitempty"`
	PrincipalID *string `json:"principalId,omitempty"`
	Arn         *string `json:"arn,omitempty"`
	AccountID   *string `json:"accountId,omitempty"`
	Username    *string `json:"userName,omitempty"`
}

CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer

type CloudTrailSessionContextWebIDFederationData

type CloudTrailSessionContextWebIDFederationData struct {
	FederatedProvider *string              `json:"federatedProvider,omitempty"`
	Attributes        *jsoniter.RawMessage `json:"attributes,omitempty"`
}

CloudTrailSessionContextWebIDFederationData contains Web ID federation data

type CloudTrailUserIdentity

type CloudTrailUserIdentity struct {
	Type             *string                   `json:"type,omitempty"`
	PrincipalID      *string                   `json:"principalId,omitempty"`
	ARN              *string                   `json:"arn,omitempty"`
	AccountID        *string                   `json:"accountId,omitempty"`
	AccessKeyID      *string                   `json:"accessKeyId,omitempty"`
	Username         *string                   `json:"userName,omitempty"`
	SessionContext   *CloudTrailSessionContext `json:"sessionContext,omitempty"`
	InvokedBy        *string                   `json:"invokedBy,omitempty"`
	IdentityProvider *string                   `json:"identityProvider,omitempty"`
}

CloudTrailUserIdentity contains details about the type of IAM identity that made the request.

type CloudWatchEvent added in v1.6.0

type CloudWatchEvent struct {
	ID         *string              `` /* 184-byte string literal not displayed */
	Account    *string              `json:"account" validate:"required" description:"The 12-digit number identifying an AWS account."`
	Source     *string              `` /* 315-byte string literal not displayed */
	Resources  []string             `` /* 419-byte string literal not displayed */
	Region     *string              `json:"region" validate:"required" description:"Identifies the AWS region where the event originated."`
	DetailType *string              `` /* 157-byte string literal not displayed */
	Version    *string              `json:"version" validate:"required" description:"By default, this is set to 0 (zero) in all events."`
	Time       *timestamp.RFC3339   `` /* 294-byte string literal not displayed */
	Detail     *jsoniter.RawMessage `` /* 298-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type CloudWatchEventParser added in v1.6.0

type CloudWatchEventParser struct{}

CloudWatchEventParser parses AWS Cloudwatch Events

func (*CloudWatchEventParser) LogType added in v1.6.0

func (p *CloudWatchEventParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudWatchEventParser) New added in v1.6.0

func (*CloudWatchEventParser) Parse added in v1.6.0

func (p *CloudWatchEventParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type GuardDuty

type GuardDuty struct {
	SchemaVersion *string              `json:"schemaVersion" validate:"required" description:"The schema format version of this record."`
	AccountID     *string              `` /* 165-byte string literal not displayed */
	Region        *string              `json:"region" validate:"required" description:"The AWS region in which the finding was generated."`
	Partition     *string              `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."`
	ID            *string              `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."`
	Arn           *string              `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."`
	Type          *string              `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."`
	Resource      *jsoniter.RawMessage `` /* 154-byte string literal not displayed */
	Severity      *float32             `` /* 128-byte string literal not displayed */
	CreatedAt     *timestamp.RFC3339   `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."`
	UpdatedAt     *timestamp.RFC3339   `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."`
	Title         *string              `json:"title" validate:"required" description:"A short description of the finding."`
	Description   *string              `json:"description" validate:"required" description:"A long description of the finding."`
	Service       *GuardDutyService    `json:"service" validate:"required" description:"Additional information about the affected service."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type GuardDutyParser

type GuardDutyParser struct{}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*GuardDutyParser) LogType

func (p *GuardDutyParser) LogType() string

LogType returns the log type supported by this parser

func (*GuardDutyParser) New added in v0.3.0

func (*GuardDutyParser) Parse

func (p *GuardDutyParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type GuardDutyService

type GuardDutyService struct {
	AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo"`
	Action         *jsoniter.RawMessage `json:"action"`
	ServiceName    *string              `json:"serviceName" validate:"required"`
	DetectorID     *string              `json:"detectorId" validate:"required"`
	ResourceRole   *string              `json:"resourceRole"`
	EventFirstSeen *timestamp.RFC3339   `json:"eventFirstSeen"`
	EventLastSeen  *timestamp.RFC3339   `json:"eventLastSeen"`
	Archived       *bool                `json:"archived"`
	Count          *int                 `json:"count"`
}

type InsightAverage added in v1.1.0

type InsightAverage struct {
	Average *float64 `json:"average,omitempty" description:"Average value for the insight metric"`
}

nolint:lll

type InsightContext added in v1.1.0

type InsightContext struct {
	Statistics *InsightStatistics `` /* 242-byte string literal not displayed */
}

nolint:lll

type InsightDetails added in v1.1.0

type InsightDetails struct {
	State          *string         `` /* 179-byte string literal not displayed */
	EventSource    *string         `json:"eventSource" validate:"required" description:"The AWS API for which unusual activity was detected."`
	EventName      *string         `json:"eventName" validate:"required" description:"The AWS API for which unusual activity was detected."`
	InsightType    *string         `json:"insightType" validate:"required" description:"The type of Insights event. Value is ApiCallRateInsight. "`
	InsightContext *InsightContext `` /* 177-byte string literal not displayed */
}

nolint:lll

type InsightStatistics added in v1.1.0

type InsightStatistics struct {
	Baseline        *InsightAverage `` /* 142-byte string literal not displayed */
	Insight         *InsightAverage `` /* 137-byte string literal not displayed */
	InsightDuration *float32        `` /* 229-byte string literal not displayed */
}

nolint:lll

type S3ServerAccess

type S3ServerAccess struct {
	BucketOwner        *string            `` /* 196-byte string literal not displayed */
	Bucket             *string            `` /* 230-byte string literal not displayed */
	Time               *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."`
	RemoteIP           *string            `` /* 190-byte string literal not displayed */
	Requester          *string            `` /* 329-byte string literal not displayed */
	RequestID          *string            `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."`
	Operation          *string            `` /* 188-byte string literal not displayed */
	Key                *string            `` /* 132-byte string literal not displayed */
	RequestURI         *string            `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."`
	HTTPStatus         *int               `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."`
	ErrorCode          *string            `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."`
	BytesSent          *int               `` /* 126-byte string literal not displayed */
	ObjectSize         *int               `json:"objectsize,omitempty" description:"The total size of the object in question."`
	TotalTime          *int               `` /* 330-byte string literal not displayed */
	TurnAroundTime     *int               `` /* 254-byte string literal not displayed */
	Referrer           *string            `` /* 223-byte string literal not displayed */
	UserAgent          *string            `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."`
	VersionID          *string            `` /* 133-byte string literal not displayed */
	HostID             *string            `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."`
	SignatureVersion   *string            `` /* 166-byte string literal not displayed */
	CipherSuite        *string            `` /* 136-byte string literal not displayed */
	AuthenticationType *string            `` /* 213-byte string literal not displayed */
	HostHeader         *string            `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."`
	TLSVersion         *string            `` /* 194-byte string literal not displayed */
	AdditionalFields   []string           `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type S3ServerAccessParser

type S3ServerAccessParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

S3ServerAccessParser parses AWS S3 Server Access logs

func (*S3ServerAccessParser) LogType

func (p *S3ServerAccessParser) LogType() string

LogType returns the log type supported by this parser

func (*S3ServerAccessParser) New added in v0.3.0

func (*S3ServerAccessParser) Parse

func (p *S3ServerAccessParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type VPCFlow

type VPCFlow struct {
	Version     *int               `` /* 165-byte string literal not displayed */
	AccountID   *string            `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."`
	InterfaceID *string            `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."`
	SrcAddr     *string            `` /* 258-byte string literal not displayed */
	DstAddr     *string            `` /* 262-byte string literal not displayed */
	SrcPort     *int               `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."`
	DstPort     *int               `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."`
	Protocol    *int               `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."`
	Packets     *int               `json:"packets,omitempty" description:"The number of packets transferred during the flow."`
	Bytes       *int               `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."`
	Start       *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."`
	End         *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."`
	Action      *string            `` /* 296-byte string literal not displayed */
	LogStatus   *string            `` /* 413-byte string literal not displayed */

	// extended custom fields
	VpcID         *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."`
	SubNetID      *string `` /* 131-byte string literal not displayed */
	InstanceID    *string `` /* 291-byte string literal not displayed */
	TCPFlags      *int    `` /* 379-byte string literal not displayed */
	Type          *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."`
	PacketSrcAddr *string `` /* 518-byte string literal not displayed */
	PacketDstAddr *string `` /* 526-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type VPCFlowParser

type VPCFlowParser struct {
	CSVReader *csvstream.StreamingCSVReader
	// contains filtered or unexported fields
}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*VPCFlowParser) LogType

func (p *VPCFlowParser) LogType() string

LogType returns the log type supported by this parser

func (*VPCFlowParser) New added in v0.3.0

func (p *VPCFlowParser) New() parsers.LogParser

func (*VPCFlowParser) Parse

func (p *VPCFlowParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL