awslogs

package
v1.9.0-RC2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 1, 2020 License: AGPL-3.0 Imports: 17 Imported by: 0

Documentation

Overview

Package awslogs defines parsers and log types for AWS logs.

Index

Constants

View Source
const (
	TypeALB               = "AWS.ALB"
	TypeAuroraMySQLAudit  = `AWS.AuroraMySQLAudit`
	TypeCloudTrail        = `AWS.CloudTrail`
	TypeCloudTrailDigest  = "AWS.CloudTrailDigest"
	TypeCloudTrailInsight = "AWS.CloudTrailInsight"
	TypeCloudWatchEvents  = "AWS.CloudWatchEvents"
	TypeGuardDuty         = "AWS.GuardDuty"
	TypeS3ServerAccess    = "AWS.S3ServerAccess"
	TypeVPCFlow           = "AWS.VPCFlow"
)
View Source
const SizeAccountID = 12

Variables

This section is empty.

Functions

func ScanARN added in v1.8.0

func ScanARN(w pantherlog.ValueWriter, input string)

func ScanAccountID added in v1.8.0

func ScanAccountID(w pantherlog.ValueWriter, input string)

func ScanInstanceID added in v1.8.0

func ScanInstanceID(w pantherlog.ValueWriter, input string)

func ScanTag added in v1.8.0

func ScanTag(w pantherlog.ValueWriter, input string)

Types

type ALB

type ALB struct {
	Type                   *string            `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."`
	Timestamp              *timestamp.RFC3339 `` /* 198-byte string literal not displayed */
	ELB                    *string            `` /* 168-byte string literal not displayed */
	ClientIP               *string            `json:"clientIp,omitempty" description:"The IP address of the requesting client."`
	ClientPort             *int               `json:"clientPort,omitempty" description:"The port of the requesting client."`
	TargetIP               *string            `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."`
	TargetPort             *int               `json:"targetPort,omitempty" description:"The port of the target that processed this request."`
	RequestProcessingTime  *float64           `` /* 513-byte string literal not displayed */
	TargetProcessingTime   *float64           `` /* 536-byte string literal not displayed */
	ResponseProcessingTime *float64           `` /* 579-byte string literal not displayed */
	ELBStatusCode          *int               `` /* 127-byte string literal not displayed */
	TargetStatusCode       *int               `` /* 202-byte string literal not displayed */
	ReceivedBytes          *int               `` /* 257-byte string literal not displayed */
	SentBytes              *int               `` /* 232-byte string literal not displayed */
	RequestHTTPMethod      *string            `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."`
	RequestURL             *string            `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."`
	RequestHTTPVersion     *string            `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."`
	UserAgent              *string            `` /* 243-byte string literal not displayed */
	SSLCipher              *string            `` /* 141-byte string literal not displayed */
	SSLProtocol            *string            `` /* 145-byte string literal not displayed */
	TargetGroupARN         *string            `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."`
	TraceID                *string            `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."`
	DomainName             *string            `` /* 280-byte string literal not displayed */
	ChosenCertARN          *string            `` /* 243-byte string literal not displayed */
	MatchedRulePriority    *int               `` /* 338-byte string literal not displayed */
	RequestCreationTime    *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."`
	ActionsExecuted        []string           `` /* 270-byte string literal not displayed */
	RedirectURL            *string            `` /* 181-byte string literal not displayed */
	ErrorReason            *string            `` /* 278-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type ALBParser

type ALBParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

ALBParser parses AWS Application Load Balancer logs

func (*ALBParser) LogType

func (p *ALBParser) LogType() string

LogType returns the log type supported by this parser

func (*ALBParser) New added in v0.3.0

func (p *ALBParser) New() parsers.LogParser

func (*ALBParser) Parse

func (p *ALBParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type AWSExtractor added in v0.2.0

type AWSExtractor struct {
	// contains filtered or unexported fields
}

extracts useful AWS features that can be detected generically (w/context)

func NewAWSExtractor added in v0.2.0

func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor

func (*AWSExtractor) Extract added in v0.2.0

func (e *AWSExtractor) Extract(key, value gjson.Result)

type AWSPantherLog added in v0.2.0

type AWSPantherLog struct {
	parsers.PantherLog

	PantherAnyAWSAccountIds  *parsers.PantherAnyString `` /* 131-byte string literal not displayed */
	PantherAnyAWSInstanceIds *parsers.PantherAnyString `` /* 133-byte string literal not displayed */
	PantherAnyAWSARNs        *parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"`
	PantherAnyAWSTags        *parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"`
}

nolint(lll)

func (*AWSPantherLog) AppendAnyAWSARNPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSARNs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)

func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSAccountIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSInstanceIds added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)

func (*AWSPantherLog) AppendAnyAWSTagPtrs added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)

func (*AWSPantherLog) AppendAnyAWSTags added in v0.2.0

func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)

NOTE: value should be of the form <key>:<value>

type AuroraMySQLAudit

type AuroraMySQLAudit struct {
	Timestamp    *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."`
	ServerHost   *string            `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."`
	Username     *string            `json:"username,omitempty" description:"The connected user name of the user."`
	Host         *string            `json:"host,omitempty" description:"The host that the user connected from."`
	ConnectionID *int               `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."`
	QueryID      *int               `` /* 182-byte string literal not displayed */
	Operation    *string            `` /* 216-byte string literal not displayed */
	Database     *string            `json:"database,omitempty" description:"The active database, as set by the USE command."`
	Object       *string            `` /* 143-byte string literal not displayed */
	RetCode      *int               `json:"retCode,omitempty" description:"The return code of the logged operation."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type AuroraMySQLAuditParser

type AuroraMySQLAuditParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs

func (*AuroraMySQLAuditParser) LogType

func (p *AuroraMySQLAuditParser) LogType() string

LogType returns the log type supported by this parser

func (*AuroraMySQLAuditParser) New added in v0.3.0

func (*AuroraMySQLAuditParser) Parse

Parse returns the parsed events or nil if parsing failed

type CloudTrail

type CloudTrail struct {
	AdditionalEventData *jsoniter.RawMessage    `` /* 128-byte string literal not displayed */
	APIVersion          *string                 `json:"apiVersion,omitempty" description:"Identifies the API version associated with the AwsApiCall eventType value."`
	AWSRegion           *string                 `json:"awsRegion,omitempty" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
	ErrorCode           *string                 `json:"errorCode,omitempty" description:"The AWS service error if the request returns an error."`
	ErrorMessage        *string                 `` /* 246-byte string literal not displayed */
	EventID             *string                 `` /* 269-byte string literal not displayed */
	EventName           *string                 `` /* 139-byte string literal not displayed */
	EventSource         *string                 `` /* 196-byte string literal not displayed */
	EventTime           *timestamp.RFC3339      `` /* 137-byte string literal not displayed */
	EventType           *string                 `` /* 213-byte string literal not displayed */
	EventVersion        *string                 `json:"eventVersion,omitempty" validate:"required" description:"The version of the log event format."`
	ManagementEvent     *bool                   `` /* 307-byte string literal not displayed */
	ReadOnly            *bool                   `json:"readOnly,omitempty" description:"Identifies whether this operation is a read-only operation."`
	RecipientAccountID  *string                 `` /* 278-byte string literal not displayed */
	RequestID           *string                 `` /* 126-byte string literal not displayed */
	RequestParameters   *jsoniter.RawMessage    `` /* 205-byte string literal not displayed */
	Resources           []CloudTrailResources   `json:"resources,omitempty" description:"A list of resources accessed in the event."`
	ResponseElements    *jsoniter.RawMessage    `` /* 341-byte string literal not displayed */
	ServiceEventDetails *jsoniter.RawMessage    `` /* 131-byte string literal not displayed */
	SharedEventID       *string                 `` /* 177-byte string literal not displayed */
	SourceIPAddress     *string                 `` /* 309-byte string literal not displayed */
	UserAgent           *string                 `` /* 167-byte string literal not displayed */
	UserIdentity        *CloudTrailUserIdentity `json:"userIdentity,omitempty" validate:"required" description:"Information about the user that made a request."`
	VPCEndpointID       *string                 `` /* 154-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll

type CloudTrailDigest added in v1.2.0

type CloudTrailDigest struct {
	AWSAccountID                *string                   `json:"awsAccountId" validate:"required" description:"The AWS account ID for which the digest file has been delivered."`
	DigestStartTime             *timestamp.RFC3339        `` /* 198-byte string literal not displayed */
	DigestEndTime               *timestamp.RFC3339        `` /* 194-byte string literal not displayed */
	DigestS3Bucket              *string                   `` /* 141-byte string literal not displayed */
	DigestS3Object              *string                   `` /* 149-byte string literal not displayed */
	NewestEventTime             *timestamp.RFC3339        `` /* 140-byte string literal not displayed */
	OldestEventTime             *timestamp.RFC3339        `` /* 136-byte string literal not displayed */
	PreviousDigestS3Bucket      *string                   `json:"previousDigestS3Bucket,omitempty" description:"The Amazon S3 bucket to which the previous digest file was delivered."`
	PreviousDigestS3Object      *string                   `` /* 148-byte string literal not displayed */
	PreviousDigestHashValue     *string                   `` /* 147-byte string literal not displayed */
	PreviousDigestHashAlgorithm *string                   `` /* 137-byte string literal not displayed */
	PreviousDigestSignature     *string                   `json:"previousDigestSignature,omitempty" description:"The hexadecimal encoded signature of the previous digest file."`
	DigestPublicKeyFingerprint  *string                   `` /* 181-byte string literal not displayed */
	DigestSignatureAlgorithm    *string                   `json:"digestSignatureAlgorithm" validate:"required" description:"The algorithm used to sign the digest file."`
	LogFiles                    []CloudTrailDigestLogFile `json:"logFiles" validate:"required,min=0" description:"Log files delivered in this digest"`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type CloudTrailDigestLogFile added in v1.2.0

type CloudTrailDigestLogFile struct {
	S3Bucket        *string            `json:"s3Bucket" validate:"required" description:"The name of the Amazon S3 bucket for the log file."`
	S3Object        *string            `json:"s3Object" validate:"required" description:"The Amazon S3 object key of the current log file."`
	HashValue       *string            `json:"hashValue" validate:"required" description:"The hexadecimal encoded hash value of the uncompressed log file content."`
	HashAlgorithm   *string            `json:"hashAlgorithm" validate:"required" description:"The hash algorithm used to hash the log file."`
	NewestEventTime *timestamp.RFC3339 `` /* 128-byte string literal not displayed */
	OldestEventTime *timestamp.RFC3339 `json:"oldestEventTime" validate:"required" description:"The UTC time of the oldest event among the events in the log file."`
}

nolint:lll

type CloudTrailDigestParser added in v1.2.0

type CloudTrailDigestParser struct{}

func (*CloudTrailDigestParser) LogType added in v1.2.0

func (p *CloudTrailDigestParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudTrailDigestParser) New added in v1.2.0

func (*CloudTrailDigestParser) Parse added in v1.2.0

Parse returns the parsed events or nil if parsing failed

type CloudTrailInsight added in v1.1.0

type CloudTrailInsight struct {
	EventVersion       *string            `json:"eventVersion" validate:"required" description:"The version of the log event format."`
	EventTime          *timestamp.RFC3339 `` /* 127-byte string literal not displayed */
	AWSRegion          *string            `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
	EventID            *string            `` /* 259-byte string literal not displayed */
	EventType          *string            `` /* 227-byte string literal not displayed */
	RecipientAccountID *string            `` /* 278-byte string literal not displayed */
	SharedEventID      *string            `` /* 213-byte string literal not displayed */
	InsightDetails     *InsightDetails    `` /* 235-byte string literal not displayed */
	EventCategory      *string            `` /* 168-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

Reference from https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html nolint:lll

type CloudTrailInsightParser added in v1.1.0

type CloudTrailInsightParser struct{}

func (*CloudTrailInsightParser) LogType added in v1.1.0

func (p *CloudTrailInsightParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudTrailInsightParser) New added in v1.1.0

func (*CloudTrailInsightParser) Parse added in v1.1.0

Parse returns the parsed events or nil if parsing failed

type CloudTrailInsightRecords added in v1.1.0

type CloudTrailInsightRecords struct {
	Records []*CloudTrailInsight `json:"Records" validate:"required,dive"`
}

nolint:lll

type CloudTrailParser

type CloudTrailParser struct{}

CloudTrailParser parses CloudTrail logs

func (*CloudTrailParser) LogType

func (p *CloudTrailParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudTrailParser) New added in v0.3.0

func (*CloudTrailParser) Parse

func (p *CloudTrailParser) Parse(log string) (results []*parsers.PantherLog, err error)

Parse returns the parsed events or nil if parsing failed

type CloudTrailResources

type CloudTrailResources struct {
	ARN       *string `json:"arn"`
	AccountID *string `json:"accountId"`
	Type      *string `json:"type"`
}

CloudTrailResources are the AWS resources used in the API call.

type CloudTrailSessionContext

type CloudTrailSessionContext struct {
	Attributes          *CloudTrailSessionContextAttributes          `json:"attributes,omitempty"`
	SessionIssuer       *CloudTrailSessionContextSessionIssuer       `json:"sessionIssuer,omitempty"`
	WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData,omitempty"`
}

CloudTrailSessionContext provides information about a session created for temporary credentials.

type CloudTrailSessionContextAttributes

type CloudTrailSessionContextAttributes struct {
	MfaAuthenticated *string `json:"mfaAuthenticated,omitempty"`
	CreationDate     *string `json:"creationDate,omitempty"`
}

CloudTrailSessionContextAttributes contains the attributes of the Session context object

type CloudTrailSessionContextSessionIssuer

type CloudTrailSessionContextSessionIssuer struct {
	Type        *string `json:"type,omitempty"`
	PrincipalID *string `json:"principalId,omitempty"`
	Arn         *string `json:"arn,omitempty"`
	AccountID   *string `json:"accountId,omitempty"`
	Username    *string `json:"userName,omitempty"`
}

CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer

type CloudTrailSessionContextWebIDFederationData

type CloudTrailSessionContextWebIDFederationData struct {
	FederatedProvider *string              `json:"federatedProvider,omitempty"`
	Attributes        *jsoniter.RawMessage `json:"attributes,omitempty"`
}

CloudTrailSessionContextWebIDFederationData contains Web ID federation data

type CloudTrailUserIdentity

type CloudTrailUserIdentity struct {
	Type             *string                   `json:"type,omitempty"`
	PrincipalID      *string                   `json:"principalId,omitempty"`
	ARN              *string                   `json:"arn,omitempty"`
	AccountID        *string                   `json:"accountId,omitempty"`
	AccessKeyID      *string                   `json:"accessKeyId,omitempty"`
	Username         *string                   `json:"userName,omitempty"`
	SessionContext   *CloudTrailSessionContext `json:"sessionContext,omitempty"`
	InvokedBy        *string                   `json:"invokedBy,omitempty"`
	IdentityProvider *string                   `json:"identityProvider,omitempty"`
}

CloudTrailUserIdentity contains details about the type of IAM identity that made the request.

type CloudWatchEvent added in v1.6.0

type CloudWatchEvent struct {
	ID         *string              `` /* 184-byte string literal not displayed */
	Account    *string              `json:"account" validate:"required" description:"The 12-digit number identifying an AWS account."`
	Source     *string              `` /* 315-byte string literal not displayed */
	Resources  []string             `` /* 419-byte string literal not displayed */
	Region     *string              `json:"region" validate:"required" description:"Identifies the AWS region where the event originated."`
	DetailType *string              `` /* 157-byte string literal not displayed */
	Version    *string              `json:"version" validate:"required" description:"By default, this is set to 0 (zero) in all events."`
	Time       *timestamp.RFC3339   `` /* 294-byte string literal not displayed */
	Detail     *jsoniter.RawMessage `` /* 298-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type CloudWatchEventParser added in v1.6.0

type CloudWatchEventParser struct{}

CloudWatchEventParser parses AWS Cloudwatch Events

func (*CloudWatchEventParser) LogType added in v1.6.0

func (p *CloudWatchEventParser) LogType() string

LogType returns the log type supported by this parser

func (*CloudWatchEventParser) New added in v1.6.0

func (*CloudWatchEventParser) Parse added in v1.6.0

func (p *CloudWatchEventParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type GuardDuty

type GuardDuty struct {
	SchemaVersion *string              `json:"schemaVersion" validate:"required" description:"The schema format version of this record."`
	AccountID     *string              `` /* 165-byte string literal not displayed */
	Region        *string              `json:"region" validate:"required" description:"The AWS region in which the finding was generated."`
	Partition     *string              `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."`
	ID            *string              `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."`
	Arn           *string              `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."`
	Type          *string              `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."`
	Resource      *jsoniter.RawMessage `` /* 154-byte string literal not displayed */
	Severity      *float32             `` /* 128-byte string literal not displayed */
	CreatedAt     *timestamp.RFC3339   `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."`
	UpdatedAt     *timestamp.RFC3339   `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."`
	Title         *string              `json:"title" validate:"required" description:"A short description of the finding."`
	Description   *string              `json:"description" validate:"required" description:"A long description of the finding."`
	Service       *GuardDutyService    `json:"service" validate:"required" description:"Additional information about the affected service."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type GuardDutyParser

type GuardDutyParser struct{}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*GuardDutyParser) LogType

func (p *GuardDutyParser) LogType() string

LogType returns the log type supported by this parser

func (*GuardDutyParser) New added in v0.3.0

func (*GuardDutyParser) Parse

func (p *GuardDutyParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type GuardDutyService

type GuardDutyService struct {
	AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo"`
	Action         *jsoniter.RawMessage `json:"action"`
	ServiceName    *string              `json:"serviceName" validate:"required"`
	DetectorID     *string              `json:"detectorId" validate:"required"`
	ResourceRole   *string              `json:"resourceRole"`
	EventFirstSeen *timestamp.RFC3339   `json:"eventFirstSeen"`
	EventLastSeen  *timestamp.RFC3339   `json:"eventLastSeen"`
	Archived       *bool                `json:"archived"`
	Count          *int                 `json:"count"`
}

type InsightAverage added in v1.1.0

type InsightAverage struct {
	Average *float64 `json:"average,omitempty" description:"Average value for the insight metric"`
}

nolint:lll

type InsightContext added in v1.1.0

type InsightContext struct {
	Statistics *InsightStatistics `` /* 242-byte string literal not displayed */
}

nolint:lll

type InsightDetails added in v1.1.0

type InsightDetails struct {
	State          *string         `` /* 179-byte string literal not displayed */
	EventSource    *string         `json:"eventSource" validate:"required" description:"The AWS API for which unusual activity was detected."`
	EventName      *string         `json:"eventName" validate:"required" description:"The AWS API for which unusual activity was detected."`
	InsightType    *string         `json:"insightType" validate:"required" description:"The type of Insights event. Value is ApiCallRateInsight. "`
	InsightContext *InsightContext `` /* 177-byte string literal not displayed */
}

nolint:lll

type InsightStatistics added in v1.1.0

type InsightStatistics struct {
	Baseline        *InsightAverage `` /* 142-byte string literal not displayed */
	Insight         *InsightAverage `` /* 137-byte string literal not displayed */
	InsightDuration *float32        `` /* 229-byte string literal not displayed */
}

nolint:lll

type S3ServerAccess

type S3ServerAccess struct {
	BucketOwner        *string            `` /* 196-byte string literal not displayed */
	Bucket             *string            `` /* 230-byte string literal not displayed */
	Time               *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."`
	RemoteIP           *string            `` /* 190-byte string literal not displayed */
	Requester          *string            `` /* 329-byte string literal not displayed */
	RequestID          *string            `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."`
	Operation          *string            `` /* 188-byte string literal not displayed */
	Key                *string            `` /* 132-byte string literal not displayed */
	RequestURI         *string            `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."`
	HTTPStatus         *int               `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."`
	ErrorCode          *string            `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."`
	BytesSent          *int               `` /* 126-byte string literal not displayed */
	ObjectSize         *int               `json:"objectsize,omitempty" description:"The total size of the object in question."`
	TotalTime          *int               `` /* 330-byte string literal not displayed */
	TurnAroundTime     *int               `` /* 254-byte string literal not displayed */
	Referrer           *string            `` /* 223-byte string literal not displayed */
	UserAgent          *string            `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."`
	VersionID          *string            `` /* 133-byte string literal not displayed */
	HostID             *string            `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."`
	SignatureVersion   *string            `` /* 166-byte string literal not displayed */
	CipherSuite        *string            `` /* 136-byte string literal not displayed */
	AuthenticationType *string            `` /* 213-byte string literal not displayed */
	HostHeader         *string            `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."`
	TLSVersion         *string            `` /* 194-byte string literal not displayed */
	AdditionalFields   []string           `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."`

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type S3ServerAccessParser

type S3ServerAccessParser struct {
	CSVReader *csvstream.StreamingCSVReader
}

S3ServerAccessParser parses AWS S3 Server Access logs

func (*S3ServerAccessParser) LogType

func (p *S3ServerAccessParser) LogType() string

LogType returns the log type supported by this parser

func (*S3ServerAccessParser) New added in v0.3.0

func (*S3ServerAccessParser) Parse

func (p *S3ServerAccessParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

type VPCFlow

type VPCFlow struct {
	Version     *int               `` /* 165-byte string literal not displayed */
	AccountID   *string            `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."`
	InterfaceID *string            `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."`
	SrcAddr     *string            `` /* 258-byte string literal not displayed */
	DstAddr     *string            `` /* 262-byte string literal not displayed */
	SrcPort     *int               `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."`
	DstPort     *int               `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."`
	Protocol    *int               `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."`
	Packets     *int               `json:"packets,omitempty" description:"The number of packets transferred during the flow."`
	Bytes       *int               `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."`
	Start       *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."`
	End         *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."`
	Action      *string            `` /* 296-byte string literal not displayed */
	LogStatus   *string            `` /* 413-byte string literal not displayed */

	// extended custom fields
	VpcID         *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."`
	SubNetID      *string `` /* 131-byte string literal not displayed */
	InstanceID    *string `` /* 291-byte string literal not displayed */
	TCPFlags      *int    `` /* 379-byte string literal not displayed */
	Type          *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."`
	PacketSrcAddr *string `` /* 518-byte string literal not displayed */
	PacketDstAddr *string `` /* 526-byte string literal not displayed */

	// NOTE: added to end of struct to allow expansion later
	AWSPantherLog
}

nolint:lll

type VPCFlowParser

type VPCFlowParser struct {
	CSVReader *csvstream.StreamingCSVReader
	// contains filtered or unexported fields
}

VPCFlowParser parses AWS VPC Flow Parser logs

func (*VPCFlowParser) LogType

func (p *VPCFlowParser) LogType() string

LogType returns the log type supported by this parser

func (*VPCFlowParser) New added in v0.3.0

func (p *VPCFlowParser) New() parsers.LogParser

func (*VPCFlowParser) Parse

func (p *VPCFlowParser) Parse(log string) ([]*parsers.PantherLog, error)

Parse returns the parsed events or nil if parsing failed

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL