How to use the plaso.formatters.interface.ConditionalEventFormatter function in plaso
To help you get started, we’ve selected a few plaso examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
log2timeline / plaso / plaso / formatters / cron.py View on Github 
# -*- coding: utf-8 -*-
"""The syslog cron formatters."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class CronTaskRunEventFormatter(interface.ConditionalEventFormatter):
"""Formatter for a syslog cron task run event."""
DATA_TYPE = 'syslog:cron:task_run'
FORMAT_STRING_SEPARATOR = ' '
FORMAT_STRING_PIECES = [
'Cron ran: {command}',
'for user: {username}',
'pid: {pid}']
FORMAT_STRING_SHORT = '{body}'
SOURCE_LONG = 'Cron log'
SOURCE_SHORT = 'LOG'# -*- coding: utf-8 -*-
"""The Java WebStart Cache IDX event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class JavaIDXFormatter(interface.ConditionalEventFormatter):
"""Formatter for an Java WebStart Cache IDX download event."""
DATA_TYPE = 'java:download:idx'
FORMAT_STRING_PIECES = [
'IDX Version: {idx_version}',
'Host IP address: ({ip_address})',
'Download URL: {url}']
SOURCE_LONG = 'Java Cache IDX'
SOURCE_SHORT = 'JAVA_IDX'
manager.FormattersManager.RegisterFormatter(JavaIDXFormatter)# -*- coding: utf-8 -*-
"""The Android Application Usage event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class AndroidApplicationFormatter(interface.ConditionalEventFormatter):
"""Formatter for an Application Last Resumed event."""
DATA_TYPE = 'android:event:last_resume_time'
FORMAT_STRING_PIECES = [
'Package: {package}',
'Component: {component}']
SOURCE_LONG = 'Android App Usage'
SOURCE_SHORT = 'LOG'
manager.FormattersManager.RegisterFormatter(AndroidApplicationFormatter)if self.DATA_TYPE != event_data.data_type:
raise errors.WrongFormatter('Unsupported data type: {0:s}.'.format(
event_data.data_type))
event_values = event_data.CopyToDict()
pin_status = event_values.get('pin_status', 0)
if pin_status == -1:
event_values['pin_status'] = 'Unpinned'
else:
event_values['pin_status'] = 'Pinned'
return self._ConditionalFormatMessages(event_values)
class OLECFDocumentSummaryInfoFormatter(interface.ConditionalEventFormatter):
"""Formatter for an OLECF Document Summary Info property set stream event."""
DATA_TYPE = 'olecf:document_summary_info'
FORMAT_STRING_PIECES = [
'Number of bytes: {number_of_bytes}',
'Number of lines: {number_of_lines}',
'Number of paragraphs: {number_of_paragraphs}',
'Number of slides: {number_of_slides}',
'Number of notes: {number_of_notes}',
'Number of hidden slides: {number_of_hidden_slides}',
'Number of multi-media clips: {number_of_clips}',
'Company: {company}',
'Manager: {manager}',
'Shared document: {shared_document}',
'Application version: {application_version}',# -*- coding: utf-8 -*-
"""The Windows Shortcut (LNK) event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
from plaso.lib import errors
class WinLnkLinkFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Windows Shortcut (LNK) link event."""
DATA_TYPE = 'windows:lnk:link'
FORMAT_STRING_PIECES = [
'[{description}]',
'File size: {file_size}',
'File attribute flags: 0x{file_attribute_flags:08x}',
'Drive type: {drive_type}',
'Drive serial number: 0x{drive_serial_number:08x}',
'Volume label: {volume_label}',
'Local path: {local_path}',
'Network path: {network_path}',
'cmd arguments: {command_line_arguments}',
'env location: {env_var_location}',
'Relative path: {relative_path}',# -*- coding: utf-8 -*-
"""The MacOS launch services (LS) quarantine event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class LSQuarantineFormatter(interface.ConditionalEventFormatter):
"""Formatter for a launch services (LS) quarantine history event."""
DATA_TYPE = 'macosx:lsquarantine'
FORMAT_STRING_PIECES = [
'[{agent}]',
'Downloaded: {url}',
'<{data}>']
FORMAT_STRING_SHORT_PIECES = ['{url}']
SOURCE_LONG = 'LS Quarantine Event'
SOURCE_SHORT = 'LOG'
manager.FormattersManager.RegisterFormatter(LSQuarantineFormatter)# -*- coding: utf-8 -*-
"""The Firefox cookie entry event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class FirefoxCookieFormatter(interface.ConditionalEventFormatter):
"""The Firefox cookie entry event formatter."""
DATA_TYPE = 'firefox:cookie:entry'
FORMAT_STRING_PIECES = [
'{url}',
'({cookie_name})',
'Flags:',
'[HTTP only]: {httponly}',
'(GA analysis: {ga_data})']
FORMAT_STRING_SHORT_PIECES = [
'{host}',
'({cookie_name})']
SOURCE_LONG = 'Firefox Cookies'# -*- coding: utf-8 -*-
"""The MacOS securityd log file event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class MacOSSecuritydLogFormatter(interface.ConditionalEventFormatter):
"""Formatter for a MacOS securityd log event."""
DATA_TYPE = 'mac:securityd:line'
FORMAT_STRING_PIECES = [
'Sender: {sender}',
'({sender_pid})',
'Level: {level}',
'Facility: {facility}',
'Text: {message}']
FORMAT_STRING_SHORT_PIECES = ['Text: {message}']
SOURCE_LONG = 'Mac Securityd Log'
SOURCE_SHORT = 'LOG'# -*- coding: utf-8 -*-
"""The Systemd journal file event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class SystemdJournalEventFormatter(interface.ConditionalEventFormatter):
"""Formatter for a Systemd journal event."""
DATA_TYPE = 'systemd:journal'
# It would be nice to have the _MACHINE_ID field, which is a unique identifier
# for the system, and hopefully more unique than the _HOSTNAME field.
# Unfortunately, journal files that have not been closed cleanly may contain
# entries that have no _MACHINE_ID field.
FORMAT_STRING_SEPARATOR = ''
FORMAT_STRING_PIECES = [
'{hostname} ',
'[',
'{reporter}',
', pid: {pid}',# -*- coding: utf-8 -*-
"""The Android mmssms.db database event formatter."""
from __future__ import unicode_literals
from plaso.formatters import interface
from plaso.formatters import manager
class AndroidSmsFormatter(interface.ConditionalEventFormatter):
"""Formatter for an Android SMS event."""
DATA_TYPE = 'android:messaging:sms'
FORMAT_STRING_PIECES = [
'Type: {sms_type}',
'Address: {address}',
'Status: {sms_read}',
'Message: {body}']
FORMAT_STRING_SHORT_PIECES = ['{body}']
SOURCE_LONG = 'Android SMS messages'
SOURCE_SHORT = 'SMS'plaso
Plaso (log2timeline) - Super timeline all the things
Package Health Score
81 / 100Popular plaso functions
- plaso.containers.events
- plaso.containers.events.EventData
- plaso.containers.sessions.Session
- plaso.containers.time_events
- plaso.containers.time_events.DateTimeValuesEvent
- plaso.engine.knowledge_base.KnowledgeBase
- plaso.formatters.interface
- plaso.formatters.interface.ConditionalEventFormatter
- plaso.formatters.manager
- plaso.formatters.manager.FormattersManager
- plaso.formatters.manager.FormattersManager.RegisterFormatter
- plaso.lib.definitions
- plaso.lib.errors
- plaso.lib.errors.BadConfigObject
- plaso.lib.errors.BadConfigOption
- plaso.lib.errors.ParseError
- plaso.lib.errors.UnableToParseFile
- plaso.lib.py2to3
- plaso.lib.timelib.Timestamp.CopyFromString
- plaso.parsers.manager.ParsersManager.RegisterParser