python lib for mozdef clients
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.




This lib has been superseded by mozdef_client: This has been done to avoid confusion with "internal" mozdef libs and imports.

If converting to the new lib, you'll need to import mozdef_client instead of mozdef.

import mozdef_client


Python lib for MozDef clients.


As a python module

Manually: .. code:

make install

As a rpm/deb package .. code:

make rpm
make deb
rpm -i <package.rpm>
dpkg -i <package.deb>

From the code/integrate in my code

Add to your project with:

git submodule add mozdef
git commit -a

Python dependencies

  • requests_futures for python2 (optional but highly recommended, else messages are synchronous)
  • pytz



If you can, it is recommended to fill-in details={}, category='' and severity='' even thus those are optional.

Syslog compatibility

Should you be needing Syslog compatibility (for example to stay compatible with non-MozDef setups without having to handle the conversion to syslog on your own) just set sendToSyslog to True for your message.

The message will be flattened out and fields that syslog already provide will be stripped. Additionally, an attempt will be made to map the severity field to syslog's priority field if possible (the field name has to match a syslog priority field name).


#JSON/MozDef output
    "category": "event",
    "details": {},
    "hostname": "kang-vp",
    "processid": 16347,
    "processname": "",
    "severity": "INFO",
    "summary": "test msg",
    "tags": [],
    "timestamp": "2014-05-13T14:59:54.093572+00:00"

#Syslog output
May 13 14:59:54 kang-vp[16347]: details: {} tags: [] category: event summary: test syslog msg
May 13 14:59:54 kang-vp[16347]: details: {'uid': 0, 'username': 'kang'} tags: ['bro', 'auth'] category:
authentication summary: new test msg
May 13 14:59:54 kang-vp[16347]: details: {} tags: [] category: event summary: another test msg

MozDef message structure

These are also the 'internal attributes' which you can modify.

    "category": "authentication",
        "details": {
            "uid": 0,
            "username": "kang"
        "hostname": "",
        "processid": 14619,
        "processname": "./",
        "severity": "CRITICAL",
        "summary": "new test msg",
        "tags": [
        "timestamp": "2014-03-18T23:20:31.013344+00:00"

Certificate handling

During testing with self-signed certificates, it may be useful to disable certificate checking while connecting to MozDef. It may also just be that you have a custom CA file that you want to point to.

That's how you do all this:

msg.verify_certificate = False # not recommended, security issue.
msg.verify_certificate = True # uses default certs from /etc/ssl/certs
msg.verify_certificate = '/etc/path/to/custom/cert'


Disabling certificate checking introduce a security issue and is generally not recommended, specially for production.