Documentation ¶
Index ¶
Constants ¶
const ( TypeBatch = "Osquery.Batch" TypeDifferential = "Osquery.Differential" TypeSnapshot = "Osquery.Snapshot" TypeStatus = "Osquery.Status" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Batch ¶
type Batch struct { CalendarTime *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."` Counter *numerics.Integer `json:"counter,omitempty" validate:"required" description:"Counter"` Decorations map[string]string `json:"decorations,omitempty" description:"Decorations"` DiffResults *BatchDiffResults `json:"diffResults,omitempty" validate:"required" description:"Computed differences."` Epoch *numerics.Integer `json:"epoch,omitempty" validate:"required" description:"Epoch"` Hostname *string `json:"hostname,omitempty" validate:"required" description:"Hostname"` Name *string `json:"name,omitempty" validate:"required" description:"Name"` UnixTime *numerics.Integer `json:"unixTime,omitempty" validate:"required" description:"Unix epoch"` // NOTE: added to end of struct to allow expansion later parsers.PantherLog }
nolint:lll
type BatchDiffResults ¶
type BatchDiffResults struct { Added []map[string]string `json:"added,omitempty"` Removed []map[string]string `json:"removed,omitempty"` }
OsqueryBatchDiffResults contains diff data for OsQuery batch results
type BatchParser ¶
type BatchParser struct{}
BatchParser parses OsQuery Batch logs
func (*BatchParser) LogType ¶
func (p *BatchParser) LogType() string
LogType returns the log type supported by this parser
func (*BatchParser) New ¶ added in v0.3.0
func (p *BatchParser) New() parsers.LogParser
func (*BatchParser) Parse ¶
func (p *BatchParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type Differential ¶
type Differential struct { Action *string `json:"action,omitempty" validate:"required" description:"Action"` CalendarTime *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."` Columns map[string]string `json:"columns,omitempty" validate:"required" description:"Columns"` Counter *numerics.Integer `json:"counter,omitempty" description:"Counter"` Decorations map[string]string `json:"decorations,omitempty" description:"Decorations"` Epoch *numerics.Integer `json:"epoch,omitempty" validate:"required" description:"Epoch"` HostIdentifier *string `json:"hostIdentifier,omitempty" validate:"required" description:"HostIdentifier"` LogType *string `json:"logType,omitempty" description:"LogType"` LogUnderscoreType *string `json:"log_type,omitempty" description:"LogUnderscoreType"` Name *string `json:"name,omitempty" validate:"required" description:"Name"` UnixTime *numerics.Integer `json:"unixTime,omitempty" validate:"required" description:"UnixTime"` LogNumericsAsNumbers *bool `json:"logNumericsAsNumbers,omitempty,string" description:"LogNumericsAsNumbers"` // NOTE: added to end of struct to allow expansion later parsers.PantherLog }
nolint:lll
type DifferentialParser ¶
type DifferentialParser struct{}
DifferentialParser parses OsQuery Differential logs
func (*DifferentialParser) LogType ¶
func (p *DifferentialParser) LogType() string
LogType returns the log type supported by this parser
func (*DifferentialParser) New ¶ added in v0.3.0
func (p *DifferentialParser) New() parsers.LogParser
func (*DifferentialParser) Parse ¶
func (p *DifferentialParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type Snapshot ¶
type Snapshot struct { Action *string `json:"action,omitempty" validate:"required,eq=snapshot" description:"Action"` CalendarTime *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."` Counter *numerics.Integer `json:"counter,omitempty" validate:"required" description:"Counter"` Decorations map[string]string `json:"decorations,omitempty" description:"Decorations"` Epoch *numerics.Integer `json:"epoch,omitempty" validate:"required" description:"Epoch"` HostIdentifier *string `json:"hostIdentifier,omitempty" validate:"required" description:"HostIdentifier"` Name *string `json:"name,omitempty" validate:"required" description:"Name"` Snapshot []map[string]string `json:"snapshot,omitempty" validate:"required" description:"Snapshot"` UnixTime *numerics.Integer `json:"unixTime,omitempty" validate:"required" description:"UnixTime"` // NOTE: added to end of struct to allow expansion later parsers.PantherLog }
nolint:lll
type SnapshotParser ¶
type SnapshotParser struct{}
SnapshotParser parses OsQuery snapshot logs
func (*SnapshotParser) LogType ¶
func (p *SnapshotParser) LogType() string
LogType returns the log type supported by this parser
func (*SnapshotParser) New ¶ added in v0.3.0
func (p *SnapshotParser) New() parsers.LogParser
func (*SnapshotParser) Parse ¶
func (p *SnapshotParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type Status ¶
type Status struct { CalendarTime *timestamp.ANSICwithTZ `json:"calendarTime,omitempty" validate:"required" description:"The time of the event (UTC)."` Decorations map[string]string `json:"decorations,omitempty" description:"Decorations"` Filename *string `json:"filename,omitempty" validate:"required" description:"Filename"` HostIdentifier *string `json:"hostIdentifier,omitempty" validate:"required" description:"HostIdentifier"` Line *numerics.Integer `json:"line,omitempty" validate:"required" description:"Line"` LogType *string `json:"logType,omitempty" description:"LogType"` LogUnderscoreType *string `json:"log_type,omitempty" description:"LogUnderScoreType"` Message *string `json:"message,omitempty" description:"Message"` Severity *numerics.Integer `json:"severity,omitempty" validate:"required" description:"Severity"` UnixTime *numerics.Integer `json:"unixTime,omitempty" validate:"required" description:"UnixTime"` Version *string `json:"version,omitempty" validate:"required" description:"Version"` // NOTE: added to end of struct to allow expansion later parsers.PantherLog }
nolint:lll
type StatusParser ¶
type StatusParser struct{}
StatusParser parses OsQuery Status logs
func (*StatusParser) LogType ¶
func (p *StatusParser) LogType() string
LogType returns the log type supported by this parser
func (*StatusParser) New ¶ added in v0.3.0
func (p *StatusParser) New() parsers.LogParser
func (*StatusParser) Parse ¶
func (p *StatusParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed