Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
How to write an analysis plugin
The Plaso Github wiki is now deprecated
Content was migrated to ReadTheDocs
The information below is likely to be out of date.
To update the current documentation, send a pull request for change to a file in the docs subdirectory of the Plaso source tree.
Create file and class
- Plugin file in plaso/analysis/
- Create an empty subclass of plaso.analysis.interface.AnalysisPlugin
- Register it with the analysis pluging by calling AnalysisPluginManager.RegisterPlugin
- Test file in tests/analysis/
- Create an empty subclass of tests.analysis.test_lib.AnalysisPluginTestCase
Write minimal tests
- Write a test that loads your plugin
- It will fail initially, but running the test while you're developing your plugin gives you a quick way to see if your code is doing what you expect.
- Implement your subclass of plaso.analysis.interface.AnalysisPlugin
- You'll need to define/override:
- You may also want to override:
- ENABLE_IN_EXTRACTION, if your plugin is eligible to run while Plaso is extracting events.
- Add additional tests that test your plugin
- Edit plaso/analysis/
__init__.py to import your plugin in the correct alphabetical order.