Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
How to write a Syslog plugin
Locate/create test data
- Add a test file to the test_data directory
Create empty files and classes
- plugin file in plaso/parsers/syslog_plugins
- Create an empty subclass of plaso.parsers.syslog_plugins.interface.SyslogPlugin
- Register it with the syslog parser by calling SyslogParser.RegisterPlugin
- Create an empty subclass of SyslogLineEventData
- Choose an appropriate DATA_TYPE value, starting with 'syslog:'
- plugin test file in tests/parsers/syslog_plugins
- formatter file in plaso/formatters
- Create an empty subclass of ConditionalEventFormatter
- Define the DATA_TYPE value to be the same as for your EventData class
- formatter test file in tests/formatters
Write event data class
- Create a subclass of SyslogLineEventData in the plugin file.
- Define the attributes events produced by your plugin will have.
Write minimal tests
- Write a test that loads your plugin and parses a file.
- It will fail initially, but running the test while you're developing your plugin gives you a quick way to see if your code is doing what you expect.
- Implement your subclass of plaso.parsers.syslog_plugins.interface.SyslogPlugin
- You'll need to define/overwrite:
Write the formatter
- Implement your formatter
- Add additional tests that test your plugin and formatter
- Edit plaso/parsers/syslog_plugins/init.py to import your plugin in the correct alphabetical order.
- Edit plaso/formatters/init.py to import your formatter in the correct alphabetical order.
Clone this wiki locally
Press h to open a hovercard with more details.