From bdfdcb2d28a96a8a8c7b1e7fac8e6238f7e7c070 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Thu, 28 Mar 2024 18:53:06 +0100 Subject: [PATCH] Changes to support event values container --- config/tests/generate_test_files.sh | 18 ++- plaso/analysis/browser_search.py | 4 +- plaso/analysis/chrome_extension.py | 4 +- plaso/analysis/hash_tagging.py | 4 +- plaso/analysis/interface.py | 4 +- plaso/analysis/sessionize.py | 4 +- plaso/analysis/tagging.py | 15 +- plaso/analysis/test_memory.py | 4 +- plaso/analysis/unique_domains_visited.py | 4 +- plaso/containers/events.py | 47 ++++-- plaso/filters/event_filter.py | 6 +- plaso/filters/filters.py | 42 +++-- plaso/multi_process/analysis_engine.py | 14 +- plaso/multi_process/analysis_process.py | 6 +- plaso/multi_process/extraction_engine.py | 36 +++-- plaso/multi_process/merge_helpers.py | 76 ++++++++- plaso/multi_process/output_engine.py | 11 +- plaso/parsers/mediator.py | 19 +++ plaso/parsers/winlnk.py | 133 ++++++++++------ plaso/storage/sqlite/sqlite_file.py | 136 ++++++++++++----- test_data/end_to_end/dynamic.log | 40 ++--- test_data/end_to_end/dynamic_event_filter.log | 8 +- test_data/end_to_end/dynamic_time_zone.log | 40 ++--- .../dynamic_without_dynamic_time.log | 40 ++--- test_data/end_to_end/json.log | 40 ++--- test_data/end_to_end/json_line.log | 40 ++--- test_data/end_to_end/l2tcsv.log | 38 ++--- test_data/end_to_end/l2tcsv_time_zone.log | 38 ++--- test_data/end_to_end/l2ttln.log | 40 ++--- test_data/end_to_end/rawpy.log | 144 +++++++++--------- test_data/end_to_end/tln.log | 8 +- test_data/pinfo_test.plaso | Bin 45056 -> 45056 bytes test_data/psort_test.plaso | Bin 94208 -> 98304 bytes test_data/{ => winlnk}/NeroInfoTool.lnk | Bin test_data/{ => winlnk}/example.lnk | Bin test_data/{ => winlnk}/unpaired_surrogate.lnk | Bin tests/analysis/test_lib.py | 6 +- tests/cli/pinfo_tool.py | 48 ++++-- tests/cli/psort_tool.py | 2 +- tests/containers/events.py | 1 + tests/containers/plist_event.py | 1 + tests/containers/windows_events.py | 3 + tests/data/tag_linux.py | 8 +- tests/data/tag_macos.py | 12 +- tests/data/tag_windows.py | 37 +++-- tests/data/test_lib.py | 88 ++++++++++- tests/filters/event_filter.py | 6 +- tests/filters/expression_parser.py | 33 ++-- tests/filters/filters.py | 26 ++-- tests/multi_process/analysis_process.py | 29 ++-- tests/multi_process/output_engine.py | 2 +- tests/parsers/custom_destinations.py | 53 +++++-- .../olecf_plugins/automatic_destinations.py | 40 +++-- tests/parsers/test_lib.py | 33 ++-- tests/parsers/winlnk.py | 64 ++++++-- .../parsers/winreg_plugins/windows_version.py | 1 + 56 files changed, 1018 insertions(+), 538 deletions(-) rename test_data/{ => winlnk}/NeroInfoTool.lnk (100%) rename test_data/{ => winlnk}/example.lnk (100%) rename test_data/{ => winlnk}/unpaired_surrogate.lnk (100%) diff --git a/config/tests/generate_test_files.sh b/config/tests/generate_test_files.sh index 4a3879a4c4..264ac99430 100755 --- a/config/tests/generate_test_files.sh +++ b/config/tests/generate_test_files.sh @@ -16,15 +16,19 @@ fi rm -rf build/ dist/; -./setup.py -q sdist_test_data; +cp MANIFEST.test_data.in MANIFEST.in + +./setup.py -q sdist; if test $? -ne ${EXIT_SUCCESS}; then - echo "Unable to run: ./setup.py sdist_test_data"; + echo "Unable to run: ./setup.py sdist"; exit ${EXIT_FAILURE}; fi +git checkout MANIFEST.in + SDIST_PACKAGE=`ls -1 dist/plaso-*.tar.gz | head -n1 | sed 's?^dist/??'`; if ! test "dist/${SDIST_PACKAGE}"; @@ -72,8 +76,8 @@ cp -rf ${SOURCE_DIRECTORY}/* .; TEST_FILE="psort_test.plaso"; # Syslog does not contain a year we must pass preferred year to prevent the parser failing early on non-leap years. -PYTHONPATH=. python ./tools/log2timeline.py --buffer_size=300 --quiet --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog; -PYTHONPATH=. python ./tools/log2timeline.py --quiet --timezone=Iceland --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog; +PYTHONPATH=. python ./plaso/scripts/log2timeline.py --buffer_size=300 --quiet --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog/syslog; +PYTHONPATH=. python ./plaso/scripts/log2timeline.py --quiet --timezone=Iceland --preferred_year 2012 --storage-file ${TEST_FILE} test_data/syslog/syslog; cat > tagging.txt < tagging.txt < self._session_end_timestamp): diff --git a/plaso/analysis/tagging.py b/plaso/analysis/tagging.py index b85fbea91c..2c7c393789 100644 --- a/plaso/analysis/tagging.py +++ b/plaso/analysis/tagging.py @@ -17,7 +17,8 @@ def __init__(self): self._tagging_rules = None def ExamineEvent( - self, analysis_mediator, event, event_data, event_data_stream): + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Labels events according to the rules in a tagging file. Args: @@ -26,13 +27,15 @@ def ExamineEvent( event (EventObject): event to examine. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ matched_label_names = [] - for label_name, filter_objects in self._tagging_rules.items(): - for filter_object in filter_objects: - # Note that tagging events based on existing labels is currently - # not supported. - if filter_object.Match(event, event_data, event_data_stream, None): + for label_name, event_filters in self._tagging_rules.items(): + for event_filter in event_filters: + # Note that tagging events based on existing labels is currently not + # supported. + if event_filter.Match( + event, event_data, event_data_stream, event_values, None): matched_label_names.append(label_name) break diff --git a/plaso/analysis/test_memory.py b/plaso/analysis/test_memory.py index b6ccb1fa54..73c3cce1b4 100644 --- a/plaso/analysis/test_memory.py +++ b/plaso/analysis/test_memory.py @@ -35,7 +35,8 @@ def CompileReport(self, analysis_mediator): # pylint: disable=unused-argument def ExamineEvent( - self, analysis_mediator, event, event_data, event_data_stream): + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Analyzes an event. Args: @@ -44,6 +45,7 @@ def ExamineEvent( event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ self._objects.append(list(range(1024))) diff --git a/plaso/analysis/unique_domains_visited.py b/plaso/analysis/unique_domains_visited.py index 9eccbcd133..3ddd8b28b7 100644 --- a/plaso/analysis/unique_domains_visited.py +++ b/plaso/analysis/unique_domains_visited.py @@ -31,7 +31,8 @@ class UniqueDomainsVisitedPlugin(interface.AnalysisPlugin): # pylint: disable=unused-argument def ExamineEvent( - self, analysis_mediator, event, event_data, event_data_stream): + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Analyzes an event and extracts domains from it. We only evaluate straightforward web history events, not visits which can @@ -43,6 +44,7 @@ def ExamineEvent( event (EventObject): event to examine. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ if event_data.data_type not in self._SUPPORTED_EVENT_DATA_TYPES: return diff --git a/plaso/containers/events.py b/plaso/containers/events.py index c8c1c5592e..3c87650e45 100644 --- a/plaso/containers/events.py +++ b/plaso/containers/events.py @@ -4,8 +4,8 @@ import hashlib import re -from acstore.containers import interface -from acstore.containers import manager +from acstore.containers import interface as containers_interface +from acstore.containers import manager as containers_manager from dfdatetime import interface as dfdatetime_interface @@ -28,8 +28,8 @@ def CalculateEventValuesHash(event_data, event_data_stream): for attribute_name, attribute_value in sorted(event_data.GetAttributes()): if attribute_value is None or attribute_name in ( - '_event_data_stream_identifier', '_event_values_hash', '_parser_chain', - 'data_type'): + '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'data_type'): continue # Ignore date and time values. @@ -82,7 +82,7 @@ def CalculateEventValuesHash(event_data, event_data_stream): return md5_context.hexdigest() -class DateLessLogHelper(interface.AttributeContainer): +class DateLessLogHelper(containers_interface.AttributeContainer): """Attribute container to assist with logs without full dates. Attributes: @@ -197,7 +197,7 @@ def SetEventDataStreamIdentifier(self, event_data_stream_identifier): self._event_data_stream_identifier = event_data_stream_identifier -class EventData(interface.AttributeContainer): +class EventData(containers_interface.AttributeContainer): """Event data attribute container. The event data attribute container represents the attributes of an entity, @@ -212,6 +212,7 @@ class EventData(interface.AttributeContainer): _SERIALIZABLE_PROTECTED_ATTRIBUTES = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain'] def __init__(self, data_type=None): @@ -223,6 +224,7 @@ def __init__(self, data_type=None): super(EventData, self).__init__() self._event_data_stream_identifier = None self._event_values_hash = None + self._event_values_identifier = None self._parser_chain = None self.data_type = data_type @@ -280,8 +282,31 @@ def SetEventDataStreamIdentifier(self, event_data_stream_identifier): """ self._event_data_stream_identifier = event_data_stream_identifier + def GetEventValuesIdentifier(self): + """Retrieves the identifier of the associated event values container. -class EventDataStream(interface.AttributeContainer): + The event values identifier is a storage specific value that requires + special handling during serialization. + + Returns: + AttributeContainerIdentifier: event values or None when not set. + """ + return self._event_values_identifier + + def SetEventValuesIdentifier(self, event_values_identifier): + """Sets the identifier of the associated event values container. + + The event values identifier is a storage specific value that requires + special handling during serialization. + + Args: + event_values_identifier (AttributeContainerIdentifier): event values + identifier. + """ + self._event_values_identifier = event_values_identifier + + +class EventDataStream(containers_interface.AttributeContainer): """Event data stream attribute container. The event data stream attribute container represents the attributes of @@ -318,7 +343,7 @@ def __init__(self): self.yara_match = None -class EventObject(interface.AttributeContainer): +class EventObject(containers_interface.AttributeContainer): """Event attribute container. The framework is designed to parse files and create events @@ -392,7 +417,7 @@ def SetEventDataIdentifier(self, event_data_identifier): self._event_data_identifier = event_data_identifier -class EventTag(interface.AttributeContainer): +class EventTag(containers_interface.AttributeContainer): """Event tag attribute container. Attributes: @@ -501,7 +526,7 @@ def SetEventIdentifier(self, event_identifier): # TODO: the YearLessLogHelper attribute container is kept for backwards # compatibility remove once storage format 20230327 is obsolete. -class YearLessLogHelper(interface.AttributeContainer): +class YearLessLogHelper(containers_interface.AttributeContainer): """Year-less log helper attribute container. Attributes: @@ -555,6 +580,6 @@ def SetEventDataStreamIdentifier(self, event_data_stream_identifier): self._event_data_stream_identifier = event_data_stream_identifier -manager.AttributeContainersManager.RegisterAttributeContainers([ +containers_manager.AttributeContainersManager.RegisterAttributeContainers([ DateLessLogHelper, EventData, EventDataStream, EventObject, EventTag, YearLessLogHelper]) diff --git a/plaso/filters/event_filter.py b/plaso/filters/event_filter.py index 064a93eaee..2ee663e924 100644 --- a/plaso/filters/event_filter.py +++ b/plaso/filters/event_filter.py @@ -30,13 +30,15 @@ def CompileFilter(self, filter_expression): self._event_filter = expression.Compile() self._filter_expression = filter_expression - def Match(self, event, event_data, event_data_stream, event_tag): + def Match( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if an event matches the filter. Args: event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag. Returns: @@ -46,4 +48,4 @@ def Match(self, event, event_data, event_data_stream, event_tag): return True return self._event_filter.Matches( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) diff --git a/plaso/filters/filters.py b/plaso/filters/filters.py index 1c4d4b9cfc..3405b334e7 100644 --- a/plaso/filters/filters.py +++ b/plaso/filters/filters.py @@ -54,13 +54,15 @@ def _CopyValueToString(self, value): return value @abc.abstractmethod - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -74,13 +76,15 @@ class AndFilter(Filter): Note that if no conditions are passed, all objects will pass. """ - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -88,7 +92,7 @@ def Matches(self, event, event_data, event_data_stream, event_tag): """ for sub_filter in self.args: match = sub_filter.Matches( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) if not match: return False return True @@ -100,13 +104,15 @@ class OrFilter(Filter): Note that if no conditions are passed, all objects will pass. """ - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -117,7 +123,7 @@ def Matches(self, event, event_data, event_data_stream, event_tag): for sub_filter in self.args: match = sub_filter.Matches( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) if match: return True return False @@ -127,13 +133,15 @@ class Operator(Filter): """Interface for filters that represent operators.""" @abc.abstractmethod - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -144,13 +152,15 @@ def Matches(self, event, event_data, event_data_stream, event_tag): class IdentityFilter(Operator): """A filter which always evaluates to True.""" - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -187,13 +197,15 @@ def __init__(self, arguments=None, **kwargs): self.right_operand = arguments[1] @abc.abstractmethod - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -233,7 +245,8 @@ def _CompareValue(self, event_value, filter_value): """ def _GetValue( - self, attribute_name, event, event_data, event_data_stream, event_tag): + self, attribute_name, event, event_data, event_data_stream, event_values, + event_tag): """Retrieves the value of a specific event, data or tag attribute. Args: @@ -241,6 +254,7 @@ def _GetValue( event (EventObject): event to retrieve the value from. event_data (EventData): event data to retrieve the value from. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to retrieve the value from. Returns: @@ -270,6 +284,9 @@ def _GetValue( elif attribute_name == 'tag': attribute_value = getattr(event_tag, 'labels', None) + elif event_values and attribute_name != 'data_type': + attribute_value = getattr(event_values, attribute_name, None) + else: attribute_value = getattr(event_data, attribute_name, None) @@ -280,20 +297,23 @@ def FlipBool(self): logger.debug('Negative matching.') self._bool_value = not self._bool_value - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: bool: True if the event, data and tag match the filter, False otherwise. """ value = self._GetValue( - self.left_operand, event, event_data, event_data_stream, event_tag) + self.left_operand, event, event_data, event_data_stream, event_values, + event_tag) if value and self._CompareValue(value, self.right_operand): return self._bool_value diff --git a/plaso/multi_process/analysis_engine.py b/plaso/multi_process/analysis_engine.py index 9108e4a6c1..e0433723dc 100644 --- a/plaso/multi_process/analysis_engine.py +++ b/plaso/multi_process/analysis_engine.py @@ -126,12 +126,21 @@ def _AnalyzeEvents(self, storage_writer, analysis_plugins, event_filter=None): else: event_data_stream = None + event_values_identifier = event_data.GetEventValuesIdentifier() + if event_values_identifier: + # TODO: get container_type from event_data.data_type + container_type = None + event_values = storage_writer.GetAttributeContainerByIdentifier( + container_type, event_values_identifier) + else: + event_values = None + event_identifier = event.GetIdentifier() event_tag = storage_writer.GetEventTagByEventIdentifer(event_identifier) if event_filter: filter_match = event_filter.Match( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) else: filter_match = None @@ -142,7 +151,8 @@ def _AnalyzeEvents(self, storage_writer, analysis_plugins, event_filter=None): for event_queue in self._event_queues.values(): # TODO: Check for premature exit of analysis plugins. - event_queue.PushItem((event, event_data, event_data_stream)) + event_queue.PushItem( + (event, event_data, event_data_stream, event_values)) self._number_of_consumed_events += 1 diff --git a/plaso/multi_process/analysis_process.py b/plaso/multi_process/analysis_process.py index feff39ec7a..7b2dcd52bd 100644 --- a/plaso/multi_process/analysis_process.py +++ b/plaso/multi_process/analysis_process.py @@ -230,7 +230,8 @@ def _Main(self): except errors.QueueAlreadyClosed: logger.error('Queue for {0:s} was already closed.'.format(self.name)) - def _ProcessEvent(self, mediator, event, event_data, event_data_stream): + def _ProcessEvent( + self, mediator, event, event_data, event_data_stream, event_values): """Processes an event. Args: @@ -239,10 +240,11 @@ def _ProcessEvent(self, mediator, event, event_data, event_data_stream): event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ try: self._analysis_plugin.ExamineEvent( - mediator, event, event_data, event_data_stream) + mediator, event, event_data, event_data_stream, event_values) except Exception as exception: # pylint: disable=broad-except # TODO: write analysis error and change logger to debug only. diff --git a/plaso/multi_process/extraction_engine.py b/plaso/multi_process/extraction_engine.py index 70ae8081f1..c209507c69 100644 --- a/plaso/multi_process/extraction_engine.py +++ b/plaso/multi_process/extraction_engine.py @@ -449,15 +449,33 @@ def _MergeAttributeContainer(self, storage_writer, merge_helper, container): f'message file: {message_file_lookup_key:s} could not be found.')) return - lookup_key = None - if container.CONTAINER_TYPE in ( - self._CONTAINER_TYPE_EVENT_DATA, - self._CONTAINER_TYPE_EVENT_DATA_STREAM, - 'windows_eventlog_message_file'): - # Preserve the lookup key before adding it to the attribute container - # store. - identifier = container.GetIdentifier() - lookup_key = identifier.CopyToString() + if container.CONTAINER_TYPE == self._CONTAINER_TYPE_EVENT_DATA: + event_values_identifier = container.GetEventValuesIdentifier() + event_values_lookup_key = None + if event_values_identifier: + event_values_lookup_key = event_values_identifier.CopyToString() + + event_values_identifier = merge_helper.GetAttributeContainerIdentifier( + event_values_lookup_key) + + if event_values_identifier: + container.SetEventValuesIdentifier(event_values_identifier) + elif event_values_lookup_key: + identifier = container.GetIdentifier() + identifier_string = identifier.CopyToString() + + # TODO: store this as a merge warning so this is preserved + # in the storage file. + logger.error(( + f'Unable to merge {container.CONTAINER_TYPE:s} attribute ' + f'container: {identifier_string:s} since corresponding event ' + f'values: {event_values_lookup_key:s} could not be found.')) + return + + # For attribute containers that are referenced from other containers, + # preserve the lookup key before adding it to the attribute container store. + lookup_key, identifier = merge_helper.PreserveAttributeContainerIdentifier( + container) storage_writer.AddAttributeContainer(container) diff --git a/plaso/multi_process/merge_helpers.py b/plaso/multi_process/merge_helpers.py index cfc43115fc..208b638033 100644 --- a/plaso/multi_process/merge_helpers.py +++ b/plaso/multi_process/merge_helpers.py @@ -68,7 +68,7 @@ def GetAttributeContainer(self): return container def GetAttributeContainerIdentifier(self, lookup_key): - """Retrieves an attribute container. + """Retrieves an attribute container identifier. Args: lookup_key (str): lookup key that identifies the attribute container. @@ -80,7 +80,7 @@ def GetAttributeContainerIdentifier(self, lookup_key): return self._container_identifier_mappings.get(lookup_key, None) def SetAttributeContainerIdentifier(self, lookup_key, identifier): - """Sets an attribute container. + """Sets an attribute container identifier. Args: lookup_key (str): lookup key that identifies the attribute container. @@ -120,9 +120,79 @@ class ExtractionTaskMergeHelper(BaseTaskMergeHelper): # data by the timeliner and therefore needs to be merged before event # data containers. events.DateLessLogHelper.CONTAINER_TYPE, - events.EventData.CONTAINER_TYPE, warnings.ExtractionWarning.CONTAINER_TYPE, warnings.RecoveryWarning.CONTAINER_TYPE, artifacts.WindowsEventLogMessageFileArtifact.CONTAINER_TYPE, artifacts.WindowsEventLogMessageStringArtifact.CONTAINER_TYPE, artifacts.WindowsWevtTemplateEvent.CONTAINER_TYPE) + + def __init__(self, task_storage_reader, task_identifier): + """Initialize a helper for merging task related attribute containers. + + Args: + task_storage_reader (StorageReader): task storage reader. + task_identifier (str): identifier of the task that is merged. + """ + super(ExtractionTaskMergeHelper, self).__init__( + task_storage_reader, task_identifier) + self._event_values_container_types = set() + + def _GetAttributeContainers(self, task_storage_reader): + """Retrieves attribute containers to merge. + + Args: + task_storage_reader (StorageReader): task storage reader. + + Yields: + AttributeContainer: attribute container. + """ + self._event_values_container_types = set() + for container in task_storage_reader.GetAttributeContainers( + events.EventData.CONTAINER_TYPE): + event_values_identifier = container.GetEventValuesIdentifier() + if event_values_identifier: + self._event_values_container_types.add(event_values_identifier.name) + + for container_type in self._CONTAINER_TYPES: + for container in task_storage_reader.GetAttributeContainers( + container_type): + yield container + + # Merge event values attribute containers before the event data that + # references it. + for container_type in self._event_values_container_types: + for container in task_storage_reader.GetAttributeContainers( + container_type): + yield container + + for container in task_storage_reader.GetAttributeContainers( + events.EventData.CONTAINER_TYPE): + yield container + + self.fully_merged = True + + def PreserveAttributeContainerIdentifier(self, container): + """Preserves an attribute container identifier. + + Args: + container (AttributeContainer): attribute container. + + Returns: + tuple[str, AttributeContainerIdentifier]: lookup key and corresponding + attribute container identifier or None, None if the attribute + container does not require to be mapped. + """ + if container.CONTAINER_TYPE in ( + artifacts.WindowsEventLogMessageFileArtifact.CONTAINER_TYPE, + events.EventData.CONTAINER_TYPE, + events.EventDataStream.CONTAINER_TYPE): + identifier = container.GetIdentifier() + lookup_key = identifier.CopyToString() + return lookup_key, identifier + + if container.CONTAINER_TYPE in self._event_values_container_types: + identifier = container.GetIdentifier() + lookup_key = identifier.CopyToString() + return lookup_key, identifier + + return None, None diff --git a/plaso/multi_process/output_engine.py b/plaso/multi_process/output_engine.py index c914a5249c..a08e675953 100644 --- a/plaso/multi_process/output_engine.py +++ b/plaso/multi_process/output_engine.py @@ -226,6 +226,15 @@ def _ExportEvents( else: event_data_stream = None + event_values_identifier = event_data.GetEventValuesIdentifier() + if event_values_identifier: + # TODO: get container_type from event_data.data_type + container_type = None + event_values = storage_reader.GetAttributeContainerByIdentifier( + container_type, event_values_identifier) + else: + event_values = None + event_identifier = event.GetIdentifier() event_tag = storage_reader.GetEventTagByEventIdentifer(event_identifier) @@ -234,7 +243,7 @@ def _ExportEvents( if event_filter: filter_match = event_filter.Match( - event, event_data, event_data_stream, event_tag) + event, event_data, event_data_stream, event_values, event_tag) else: filter_match = None diff --git a/plaso/parsers/mediator.py b/plaso/parsers/mediator.py index 6b9ca5b087..779d676c3c 100644 --- a/plaso/parsers/mediator.py +++ b/plaso/parsers/mediator.py @@ -522,6 +522,25 @@ def ProduceEventDataStream(self, event_data_stream): self.last_activity_timestamp = time.time() + def ProduceEventDataFromAttributeContainer(self, data_type, event_values): + """Produces event data from an attribute container. + + Args: + data_type (str): event data type indicator. + event_values (acstore.AttributeContainer): event values attribute + container. + + Raises: + RuntimeError: when storage writer is not set. + """ + event_data = events.EventData(data_type=data_type) + + event_values_identifier = event_values.GetIdentifier() + event_data.SetEventValuesIdentifier(event_values_identifier) + + self._storage_writer.AddAttributeContainer(event_values) + self.ProduceEventData(event_data) + def ProduceEventSource(self, event_source): """Produces an event source. diff --git a/plaso/parsers/winlnk.py b/plaso/parsers/winlnk.py index fc69119c81..8cdebc9daa 100644 --- a/plaso/parsers/winlnk.py +++ b/plaso/parsers/winlnk.py @@ -5,9 +5,11 @@ import pylnk +from acstore.containers import interface as containers_interface +from acstore.containers import manager as containers_manager + from dfdatetime import filetime as dfdatetime_filetime -from plaso.containers import events from plaso.containers import windows_events from plaso.lib import definitions from plaso.lib import specification @@ -16,8 +18,9 @@ from plaso.parsers.shared import shell_items -class WinLnkLinkEventData(events.EventData): - """Windows Shortcut (LNK) link event data. +class WindowsShortcutAttributeContainer( + containers_interface.AttributeContainer): + """Windows Shortcut (LNK) attribute container. Attributes: access_time (dfdatetime.DateTimeValues): file entry last access date @@ -37,7 +40,7 @@ class WinLnkLinkEventData(events.EventData): identifier. droid_volume_identifier (str): distributed link tracking droid volume identifier. - env_var_location (str): environment variables location. + environment_variables_location (str): environment variables location. file_attribute_flags (int): file attribute flags of the linked item. file_size (int): size of the linked item. icon_location (str): icon location. @@ -51,11 +54,34 @@ class WinLnkLinkEventData(events.EventData): working_directory (str): working directory. """ - DATA_TYPE = 'windows:lnk:link' + CONTAINER_TYPE = 'windows_shortcut' + + SCHEMA = { + 'access_time': 'dfdatetime.DateTimeValues', + 'birth_droid_file_identifier': 'str', + 'birth_droid_volume_identifier': 'str', + 'command_line_arguments': 'str', + 'creation_time': 'dfdatetime.DateTimeValues', + 'description': 'str', + 'drive_serial_number': 'int', + 'drive_type': 'str', + 'droid_file_identifier': 'str', + 'droid_volume_identifier': 'str', + 'environment_variables_location': 'str', + 'file_attribute_flags': 'int', + 'file_size': 'int', + 'icon_location': 'str', + 'link_target': 'str', + 'local_path': 'str', + 'modification_time': 'dfdatetime.DateTimeValues', + 'network_path': 'str', + 'relative_path': 'str', + 'volume_label': 'str', + 'working_directory': 'str'} def __init__(self): - """Initializes event data.""" - super(WinLnkLinkEventData, self).__init__(data_type=self.DATA_TYPE) + """Initializes a Windows Shortcut (LNK) attribute container.""" + super(WindowsShortcutAttributeContainer, self).__init__() self.access_time = None self.birth_droid_file_identifier = None self.birth_droid_volume_identifier = None @@ -66,7 +92,7 @@ def __init__(self): self.drive_type = None self.droid_file_identifier = None self.droid_volume_identifier = None - self.env_var_location = None + self.environment_variables_location = None self.file_attribute_flags = None self.file_size = None self.icon_location = None @@ -79,6 +105,10 @@ def __init__(self): self.working_directory = None +containers_manager.AttributeContainersManager.RegisterAttributeContainer( + WindowsShortcutAttributeContainer) + + class WinLnkParser(interface.FileObjectParser): """Windows Shortcut (LNK) file parser.""" @@ -109,6 +139,52 @@ def _GetDateTime(self, filetime): return dfdatetime_filetime.Filetime(timestamp=filetime) + def _GetEventValues(self, lnk_file): + """Retrieves the event values attribute container. + + Args: + lnk_file (pylnk.file): Windows shortcut (LNK) file. + + Returns: + WindowsShortcutAttributeContainer: event values attribute container. + """ + access_time = lnk_file.get_file_access_time_as_integer() + creation_time = lnk_file.get_file_creation_time_as_integer() + modification_time = lnk_file.get_file_modification_time_as_integer() + + event_values = WindowsShortcutAttributeContainer() + event_values.access_time = self._GetDateTime(access_time) + event_values.birth_droid_file_identifier = ( + lnk_file.birth_droid_file_identifier) + event_values.birth_droid_volume_identifier = ( + lnk_file.birth_droid_volume_identifier) + event_values.command_line_arguments = self._GetSanitizedPathString( + lnk_file.command_line_arguments) + event_values.creation_time = self._GetDateTime(creation_time) + event_values.description = self._GetSanitizedPathString( + lnk_file.description) + event_values.drive_serial_number = lnk_file.drive_serial_number + event_values.drive_type = lnk_file.drive_type + event_values.droid_file_identifier = lnk_file.droid_file_identifier + event_values.droid_volume_identifier = lnk_file.droid_volume_identifier + event_values.environment_variables_location = self._GetSanitizedPathString( + lnk_file.environment_variables_location) + event_values.file_attribute_flags = lnk_file.file_attribute_flags + event_values.file_size = lnk_file.file_size + event_values.icon_location = self._GetSanitizedPathString( + lnk_file.icon_location) + event_values.local_path = self._GetSanitizedPathString(lnk_file.local_path) + event_values.modification_time = self._GetDateTime(modification_time) + event_values.network_path = self._GetSanitizedPathString( + lnk_file.network_path) + event_values.relative_path = self._GetSanitizedPathString( + lnk_file.relative_path) + event_values.volume_label = lnk_file.volume_label + event_values.working_directory = self._GetSanitizedPathString( + lnk_file.working_directory) + + return event_values + def _GetSanitizedPathString(self, path): """Retrieves a sanitize path string. @@ -198,43 +274,12 @@ def ParseFileLNKFile( link_target = shell_items_parser.CopyToPath() - access_time = lnk_file.get_file_access_time_as_integer() - creation_time = lnk_file.get_file_creation_time_as_integer() - modification_time = lnk_file.get_file_modification_time_as_integer() - - event_data = WinLnkLinkEventData() - event_data.access_time = self._GetDateTime(access_time) - event_data.birth_droid_file_identifier = ( - lnk_file.birth_droid_file_identifier) - event_data.birth_droid_volume_identifier = ( - lnk_file.birth_droid_volume_identifier) - event_data.command_line_arguments = self._GetSanitizedPathString( - lnk_file.command_line_arguments) - event_data.creation_time = self._GetDateTime(creation_time) - event_data.description = self._GetSanitizedPathString( - lnk_file.description) - event_data.drive_serial_number = lnk_file.drive_serial_number - event_data.drive_type = lnk_file.drive_type - event_data.droid_file_identifier = lnk_file.droid_file_identifier - event_data.droid_volume_identifier = lnk_file.droid_volume_identifier - event_data.env_var_location = self._GetSanitizedPathString( - lnk_file.environment_variables_location) - event_data.file_attribute_flags = lnk_file.file_attribute_flags - event_data.file_size = lnk_file.file_size - event_data.icon_location = self._GetSanitizedPathString( - lnk_file.icon_location) - event_data.link_target = link_target - event_data.local_path = self._GetSanitizedPathString(lnk_file.local_path) - event_data.modification_time = self._GetDateTime(modification_time) - event_data.network_path = self._GetSanitizedPathString( - lnk_file.network_path) - event_data.relative_path = self._GetSanitizedPathString( - lnk_file.relative_path) - event_data.volume_label = lnk_file.volume_label - event_data.working_directory = self._GetSanitizedPathString( - lnk_file.working_directory) + event_values = self._GetEventValues(lnk_file) + event_values.link_target = link_target - parser_mediator.ProduceEventData(event_data) + # TODO: lookup event_data.data_type based on container_type + parser_mediator.ProduceEventDataFromAttributeContainer( + 'windows:lnk:link', event_values) if lnk_file.droid_file_identifier: # pylint: disable=using-constant-test try: diff --git a/plaso/storage/sqlite/sqlite_file.py b/plaso/storage/sqlite/sqlite_file.py index b3b1f7d8cb..027ecaf203 100644 --- a/plaso/storage/sqlite/sqlite_file.py +++ b/plaso/storage/sqlite/sqlite_file.py @@ -21,11 +21,11 @@ class SQLiteStorageFile(sqlite_store.SQLiteAttributeContainerStore): compression_format (str): compression format. """ - _FORMAT_VERSION = 20230327 + _FORMAT_VERSION = 20240325 - _APPEND_COMPATIBLE_FORMAT_VERSION = 20230327 + _APPEND_COMPATIBLE_FORMAT_VERSION = 20240325 - _UPGRADE_COMPATIBLE_FORMAT_VERSION = 20230327 + _UPGRADE_COMPATIBLE_FORMAT_VERSION = 20240325 _READ_COMPATIBLE_FORMAT_VERSION = 20230327 @@ -91,7 +91,29 @@ def _CreateAttributeContainerFromRow( 'read_create', 'read', container_type, len(serialized_data), len(compressed_data)) - return self._DeserializeAttributeContainer(container_type, serialized_data) + container = self._DeserializeAttributeContainer( + container_type, serialized_data) + + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + serialized_identifier = row[first_column_index + 1] + if serialized_identifier: + event_data_stream_identifier = ( + containers_interface.AttributeContainerIdentifier()) + event_data_stream_identifier.CopyFromString(serialized_identifier) + container.SetEventDataStreamIdentifier(event_data_stream_identifier) + + setattr(container, '_event_values_hash', row[first_column_index + 2]) + + serialized_identifier = row[first_column_index + 3] + if serialized_identifier: + event_values_identifier = ( + containers_interface.AttributeContainerIdentifier()) + event_values_identifier.CopyFromString(serialized_identifier) + container.SetEventValuesIdentifier(event_values_identifier) + + container.data_type = row[first_column_index + 4] + + return container def _CreateAttributeContainerTable(self, container_type): """Creates a table for a specific attribute container type. @@ -115,9 +137,16 @@ def _CreateAttributeContainerTable(self, container_type): else: data_column_type = 'TEXT' - query = ( - f'CREATE TABLE {container_type:s} (_identifier INTEGER PRIMARY KEY ' - f'AUTOINCREMENT, _data {data_column_type:s});') + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + query = ( + f'CREATE TABLE {container_type:s} (_identifier INTEGER PRIMARY KEY ' + f'AUTOINCREMENT, _data {data_column_type:s}, ' + f'_event_data_stream_identifier TEXT, _event_values_hash TEXT, ' + f'_event_values_identifier TEXT, data_type TEXT);') + else: + query = ( + f'CREATE TABLE {container_type:s} (_identifier INTEGER PRIMARY KEY ' + f'AUTOINCREMENT, _data {data_column_type:s});') try: self._cursor.execute(query) @@ -168,15 +197,6 @@ def _DeserializeAttributeContainer(self, container_type, serialized_data): if self._serializers_profiler: self._serializers_profiler.StopTiming(container_type) - if container.CONTAINER_TYPE == self._CONTAINER_TYPE_EVENT_DATA: - serialized_identifier = getattr( - container, '_event_data_stream_identifier', None) - if serialized_identifier: - event_data_stream_identifier = ( - containers_interface.AttributeContainerIdentifier()) - event_data_stream_identifier.CopyFromString(serialized_identifier) - container.SetEventDataStreamIdentifier(event_data_stream_identifier) - return container def _ReadAndCheckStorageMetadata(self, check_readable_only=False): @@ -225,6 +245,11 @@ def _SerializeAttributeContainer(self, container): json_dict['_event_data_stream_identifier'] = ( event_data_stream_identifier.CopyToString()) + event_values_identifier = container.GetEventValuesIdentifier() + if event_values_identifier: + json_dict['_event_values_identifier'] = ( + event_values_identifier.CopyToString()) + try: serialized_string = json.dumps(json_dict) except TypeError as exception: @@ -337,38 +362,57 @@ def _WriteNewAttributeContainer(self, container): schema = self._GetAttributeContainerSchema(container.CONTAINER_TYPE) if schema: super(SQLiteStorageFile, self)._WriteNewAttributeContainer(container) - else: - next_sequence_number = self._GetAttributeContainerNextSequenceNumber( - container.CONTAINER_TYPE) + return - if (next_sequence_number == 1 and - not self._HasTable(container.CONTAINER_TYPE)): - self._CreateAttributeContainerTable(container.CONTAINER_TYPE) + next_sequence_number = self._GetAttributeContainerNextSequenceNumber( + container.CONTAINER_TYPE) - identifier = containers_interface.AttributeContainerIdentifier( - name=container.CONTAINER_TYPE, sequence_number=next_sequence_number) - container.SetIdentifier(identifier) + if (next_sequence_number == 1 and + not self._HasTable(container.CONTAINER_TYPE)): + self._CreateAttributeContainerTable(container.CONTAINER_TYPE) - serialized_data = self._SerializeAttributeContainer(container) + identifier = containers_interface.AttributeContainerIdentifier( + name=container.CONTAINER_TYPE, sequence_number=next_sequence_number) + container.SetIdentifier(identifier) - if self.compression_format == definitions.COMPRESSION_FORMAT_ZLIB: - compressed_data = zlib.compress(serialized_data) - serialized_data = sqlite3.Binary(compressed_data) - else: - compressed_data = '' + serialized_data = self._SerializeAttributeContainer(container) - if self._storage_profiler: - self._storage_profiler.Sample( - 'write_new', 'write', container.CONTAINER_TYPE, - len(serialized_data), len(compressed_data)) + if self.compression_format == definitions.COMPRESSION_FORMAT_ZLIB: + compressed_data = zlib.compress(serialized_data) + serialized_data = sqlite3.Binary(compressed_data) + else: + compressed_data = '' + + if self._storage_profiler: + self._storage_profiler.Sample( + 'write_new', 'write', container.CONTAINER_TYPE, + len(serialized_data), len(compressed_data)) + if container.CONTAINER_TYPE == self._CONTAINER_TYPE_EVENT_DATA: + event_data_stream_identifier = container.GetEventDataStreamIdentifier() + if event_data_stream_identifier: + event_data_stream_identifier = ( + event_data_stream_identifier.CopyToString()) + + event_values_hash = getattr(container, '_event_values_hash', None) + + event_values_identifier = container.GetEventValuesIdentifier() + if event_values_identifier: + event_values_identifier = event_values_identifier.CopyToString() + + column_names = ['_data', '_event_data_stream_identifier', + '_event_values_hash', '_event_values_identifier', + 'data_type'] + values = [serialized_data, event_data_stream_identifier, + event_values_hash, event_values_identifier, container.data_type] + else: column_names = ['_data'] values = [serialized_data] - self._CacheAttributeContainerForWrite( - container.CONTAINER_TYPE, column_names, values) + self._CacheAttributeContainerForWrite( + container.CONTAINER_TYPE, column_names, values) - self._CacheAttributeContainerByIndex(container, next_sequence_number - 1) + self._CacheAttributeContainerByIndex(container, next_sequence_number - 1) def GetAttributeContainerByIndex(self, container_type, index): """Retrieves a specific attribute container. @@ -409,7 +453,12 @@ def GetAttributeContainerByIndex(self, container_type, index): if not self._attribute_container_sequence_numbers[container_type]: return None - column_names = ['_data'] + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + column_names = ['_data', '_event_data_stream_identifier', + '_event_values_hash', '_event_values_identifier', + 'data_type'] + else: + column_names = ['_data'] row_number = index + 1 column_names = ', '.join(column_names) @@ -473,13 +522,20 @@ def GetAttributeContainers(self, container_type, filter_expression=None): yield container else: + if container_type == self._CONTAINER_TYPE_EVENT_DATA: + column_names = ['_data', '_event_data_stream_identifier', + '_event_values_hash', '_event_values_identifier', + 'data_type'] + else: + column_names = ['_data'] + sql_filter_expression = None if filter_expression: expression_ast = ast.parse(filter_expression, mode='eval') sql_filter_expression = sqlite_store.PythonAST2SQL(expression_ast.body) yield from self._GetAttributeContainersWithFilter( - container_type, column_names=['_data'], + container_type, column_names=column_names, filter_expression=sql_filter_expression) def GetSortedEvents(self, time_range=None): diff --git a/test_data/end_to_end/dynamic.log b/test_data/end_to_end/dynamic.log index 429ed25208..a6cb24d466 100644 --- a/test_data/end_to_end/dynamic.log +++ b/test_data/end_to_end/dynamic.log @@ -1,21 +1,21 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:53:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:32+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-02-29T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-12-18T17:54:32+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,exit1 exit2 -2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-11-18T01:15:20+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-12-31T17:54:32+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767380870+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767380870+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:05.830382781+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:08.884385609+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- +2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:52:33+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:53:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:32+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-02-29T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-12-18T17:54:32+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,exit1 exit2 +2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-03-23T23:01:18+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-11-18T01:15:20+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-12-31T17:54:32+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785375326+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785375326+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:36.751357520+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:40.393324534+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/dynamic_event_filter.log b/test_data/end_to_end/dynamic_event_filter.log index 245ee5b31a..ace5b31c81 100644 --- a/test_data/end_to_end/dynamic_event_filter.log +++ b/test_data/end_to_end/dynamic_event_filter.log @@ -1,5 +1,5 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- +2014-02-06T15:16:30+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T01:15:43+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T08:30:20+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T08:31:20+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/dynamic_time_zone.log b/test_data/end_to_end/dynamic_time_zone.log index d2a7e057fd..ebaf7e1d75 100644 --- a/test_data/end_to_end/dynamic_time_zone.log +++ b/test_data/end_to_end/dynamic_time_zone.log @@ -1,21 +1,21 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:53:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T08:54:32+01:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-02-29T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-12-18T18:54:32+01:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,exit1 exit2 -2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-11-18T02:15:20+01:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-12-31T18:54:32+01:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-02-06T16:16:30+01:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T09:30:20+01:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T09:31:20+01:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:03.767380870+02:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:03.767380870+02:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:05.830382781+02:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T05:47:08.884385609+02:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- +2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:52:33+01:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:53:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:54:01+01:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T08:54:32+01:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-02-29T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-12-18T18:54:32+01:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,exit1 exit2 +2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-03-24T00:01:18+01:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-11-18T02:15:20+01:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-12-31T18:54:32+01:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-02-06T16:16:30+01:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T02:15:43+01:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T09:30:20+01:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T09:31:20+01:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:34.785375326+01:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:34.785375326+01:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:36.751357520+01:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T08:54:40.393324534+01:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/dynamic_without_dynamic_time.log b/test_data/end_to_end/dynamic_without_dynamic_time.log index 246b79da0d..4a545f7591 100644 --- a/test_data/end_to_end/dynamic_without_dynamic_time.log +++ b/test_data/end_to_end/dynamic_without_dynamic_time.log @@ -1,21 +1,21 @@ datetime,timestamp_desc,source,source_long,message,parser,display_name,tag -2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:53:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-01-22T07:54:32.000000+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-02-29T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2012-12-18T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,exit1 exit2 -2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-11-18T01:15:20.000000+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2013-12-31T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-02-06T15:16:30.000000+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog,repeated -2014-11-18T08:30:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2014-11-18T08:31:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767381+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:03.767381+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:05.830383+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- -2023-03-27T03:47:08.884386+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog,- +2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:52:33.000000+00:00,Content Modification Time,LOG,Log File,[client pid: 30840] INFO No new content in ímynd.dd.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:53:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: /sbin/status.mycheck) for user: root pid: 31067,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:01.000000+00:00,Content Modification Time,LOG,Cron log,Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-01-22T07:54:32.000000+00:00,Content Modification Time,LOG,Log File,[Job] `cron.daily' terminated,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-02-29T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] testing leap year in parsing events take place in 2012 ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2012-12-18T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[anacron pid: 1234] No true exit can exist (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,exit1 exit2 +2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-03-23T23:01:18.000000+00:00,Content Modification Time,LOG,Log File,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-11-18T01:15:20.000000+00:00,Content Modification Time,LOG,Log File,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2013-12-31T17:54:32.000000+00:00,Content Modification Time,LOG,Log File,[/sbin/anacron pid: 1234] Another one just like this (124 job run),text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-02-06T15:16:30.000000+00:00,Content Modification Time,LOG,Log File,[process pid: 2085] Test message with single character day,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T01:15:43.000000+00:00,Content Modification Time,LOG,Log File,[---] last message repeated 5 times ---,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,repeated +2014-11-18T08:30:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2014-11-18T08:31:20.000000+00:00,Content Modification Time,LOG,Log File,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,text/syslog_traditional,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785376+00:00,Content Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:34.785376+00:00,Metadata Modification Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:36.751358+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- +2024-03-28T07:54:40.393325+00:00,Last Access Time,FILE,File stat,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,filestat,OS:/tmp/test/test_data/syslog/syslog,- diff --git a/test_data/end_to_end/json.log b/test_data/end_to_end/json.log index 48470dd610..103cca01e8 100644 --- a/test_data/end_to_end/json.log +++ b/test_data/end_to_end/json.log @@ -1,21 +1,21 @@ -{"event_0": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -, "event_1": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -, "event_2": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} -, "event_3": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -, "event_4": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -, "event_5": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} -, "event_6": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} -, "event_7": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} -, "event_8": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -, "event_9": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -, "event_10": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} -, "event_11": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} -, "event_12": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} -, "event_13": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} -, "event_14": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} -, "event_15": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} -, "event_16": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Content Modification Time"} -, "event_17": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Metadata Modification Time"} -, "event_18": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888825830382781}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888825830383, "timestamp_desc": "Last Access Time"} -, "event_19": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888828884385609}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888828884386, "timestamp_desc": "Last Access Time"} +{"event_0": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +, "event_1": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +, "event_2": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} +, "event_3": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +, "event_4": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +, "event_5": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} +, "event_6": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} +, "event_7": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} +, "event_8": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +, "event_9": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +, "event_10": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} +, "event_11": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} +, "event_12": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} +, "event_13": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} +, "event_14": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} +, "event_15": {"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} +, "event_16": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Content Modification Time"} +, "event_17": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Metadata Modification Time"} +, "event_18": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612476751357520}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612476751358, "timestamp_desc": "Last Access Time"} +, "event_19": {"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612480393324534}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612480393325, "timestamp_desc": "Last Access Time"} } \ No newline at end of file diff --git a/test_data/end_to_end/json_line.log b/test_data/end_to_end/json_line.log index eb7f658538..7d8fa58d3f 100644 --- a/test_data/end_to_end/json_line.log +++ b/test_data/end_to_end/json_line.log @@ -1,20 +1,20 @@ -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog", "filename": "/tmp/test/test_data/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Content Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888823767380870}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888823767381, "timestamp_desc": "Metadata Modification Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888825830382781}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888825830383, "timestamp_desc": "Last Access Time"} -{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1679888828884385609}, "display_name": "OS:/tmp/test/test_data/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog", "group_identifier": 1000, "inode": "762256", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1679888828884386, "timestamp_desc": "Last Access Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No change in [/etc/netgroup]. Done", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No change in [/etc/netgroup]. Done", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "INFO No new content in \u00edmynd.dd.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 52, 33]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[client, pid: 30840] INFO No new content in \u00edmynd.dd.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 30840, "reporter": "client", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218753000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 53, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31051, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218781000000, "timestamp_desc": "Content Modification Time", "username": "root"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (touch /var/run/crond.somecheck)", "command": "touch /var/run/crond.somecheck", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31068, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "(root) CMD (/sbin/status.mycheck))", "command": "/sbin/status.mycheck)", "data_type": "syslog:cron:task_run", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 1]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "Cron ran: /sbin/status.mycheck) for user: root pid: 31067", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 31067, "reporter": "CRON", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218841000000, "timestamp_desc": "Content Modification Time", "username": "root"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "`cron.daily' terminated", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 1, 22, 7, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[Job] `cron.daily' terminated", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "Job", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1327218872000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "testing leap year in parsing, events take place in 2012 ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 2, 29, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] testing leap year in parsing, events take place in 2012 ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1330478143000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "No true exit can exist (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2012, 12, 18, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[anacron, pid: 1234] No true exit can exist (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["exit1", "exit2"]}, "timestamp": 1355853272000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message is brought to you by me (and not the other guy)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1915, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This syslog message has a fractional value for seconds.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 3, 23, 23, 1, 18]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[somrandomexe, pid: 19] This syslog message has a fractional value for seconds.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 19, "reporter": "somrandomexe", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1364079678000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "This is a multi-line message that screws up\n\tmany syslog parsers.", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 11, 18, 1, 15, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[aprocess, pid: 10100] This is a multi-line message that screws up\tmany syslog parsers.", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 10100, "reporter": "aprocess", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1384737320000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Another one just like this (124 job run)", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2013, 12, 31, 17, 54, 32]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "myhostname.myhost.com", "inode": "-", "message": "[/sbin/anacron, pid: 1234] Another one just like this (124 job run)", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 1234, "reporter": "/sbin/anacron", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1388512472000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "Test message with single character day", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 2, 6, 15, 16, 30]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[process, pid: 2085] Test message with single character day", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "pid": 2085, "reporter": "process", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1391699790000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "last message repeated 5 times ---", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 1, 15, 43]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": ":", "inode": "-", "message": "[---] last message repeated 5 times ---", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "---", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "tag": {"__container_type__": "event_tag", "__type__": "AttributeContainer", "labels": ["repeated"]}, "timestamp": 1416273343000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[997.390602] sda2: rw=0, want=65, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 30, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "inode": "-", "message": "[kernel] [997.390602] sda2: rw=0, want=65, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299420000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "body": "[998.390602] sda2: rw=0, want=66, limit=2", "data_type": "syslog:line", "date_time": {"__class_name__": "TimeElements", "__type__": "DateTimeValues", "time_elements_tuple": [2014, 11, 18, 8, 31, 20]}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "filename": "/tmp/test/test_data/syslog/syslog", "hostname": "victoria", "inode": "-", "message": "[kernel] [998.390602] sda2: rw=0, want=66, limit=2", "parser": "text/syslog_traditional", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "reporter": "kernel", "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1416299480000000, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Content Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612474785375326}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612474785375, "timestamp_desc": "Metadata Modification Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612476751357520}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612476751358, "timestamp_desc": "Last Access Time"} +{"__container_type__": "event", "__type__": "AttributeContainer", "attribute_names": ["security.selinux"], "data_type": "fs:stat", "date_time": {"__class_name__": "PosixTimeInNanoseconds", "__type__": "DateTimeValues", "timestamp": 1711612480393324534}, "display_name": "OS:/tmp/test/test_data/syslog/syslog", "file_entry_type": "file", "file_size": 1509, "file_system_type": "OS", "filename": "/tmp/test/test_data/syslog/syslog", "group_identifier": 1000, "inode": "3487956", "is_allocated": true, "message": "OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1", "mode": 420, "number_of_links": 1, "owner_identifier": 1000, "parser": "filestat", "pathspec": {"__type__": "PathSpec", "location": "/tmp/test/test_data/syslog/syslog", "type_indicator": "OS"}, "sha256_hash": "1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4", "timestamp": 1711612480393325, "timestamp_desc": "Last Access Time"} diff --git a/test_data/end_to_end/l2tcsv.log b/test_data/end_to_end/l2tcsv.log index 9f3997d622..d9cd2325cb 100644 --- a/test_data/end_to_end/l2tcsv.log +++ b/test_data/end_to_end/l2tcsv.log @@ -1,20 +1,20 @@ date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra -01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:53:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,07:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/29/2012,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/18/2012,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2013,01:15:20,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/31/2013,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/06/2014,15:16:30,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,08:30:20,UTC,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,08:31:20,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,03:47:03,UTC,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,03:47:05,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,03:47:08,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:52:33,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:53:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:54:01,UTC,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,07:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/29/2012,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/18/2012,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/23/2013,23:01:18,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2013,01:15:20,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/31/2013,17:54:32,UTC,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/06/2014,15:16:30,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,01:15:43,UTC,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,08:30:20,UTC,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,08:31:20,UTC,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,07:54:34,UTC,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,07:54:36,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,07:54:40,UTC,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 diff --git a/test_data/end_to_end/l2tcsv_time_zone.log b/test_data/end_to_end/l2tcsv_time_zone.log index fcd0657766..9a5b2db7ec 100644 --- a/test_data/end_to_end/l2tcsv_time_zone.log +++ b/test_data/end_to_end/l2tcsv_time_zone.log @@ -1,20 +1,20 @@ date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra -01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:53:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -01/22/2012,08:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/29/2012,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/18/2012,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2013,02:15:20,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -12/31/2013,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -02/06/2014,16:16:30,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,09:30:20,CET,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -11/18/2014,09:31:20,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,05:47:03,CEST,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,05:47:05,CEST,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 -03/27/2023,05:47:08,CEST,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog,OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog,762256,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,[client pid: 30840] INFO No change in [/etc/netgroup]. Done,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:52:33,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[client pid: 30840] INFO No new content in ímynd.dd.,[client pid: 30840] INFO No new content in ímynd.dd.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:53:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (touch /var/run/crond.somecheck),Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:54:01,CET,M...,LOG,Cron log,Content Modification Time,root,myhostname.myhost.com,(root) CMD (/sbin/status.mycheck)),Cron ran: /sbin/status.mycheck) for user: root pid: 31067,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,reporter: CRON; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +01/22/2012,08:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[Job] `cron.daily' terminated,[Job] `cron.daily' terminated,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/29/2012,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] testing leap year in parsing events take place in 2012 ---,[---] testing leap year in parsing events take place in 2012 ---,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/18/2012,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[anacron pid: 1234] No true exit can exist (124 job run),[anacron pid: 1234] No true exit can exist (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,exit1 exit2,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 1915] This syslog message is brought to you by me (and no...,[somrandomexe pid: 1915] This syslog message is brought to you by me (and not the other guy),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/24/2013,00:01:18,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,[somrandomexe pid: 19] This syslog message has a fractional value for seconds.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2013,02:15:20,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[aprocess pid: 10100] This is a multi-line message that screws up many syslo...,[aprocess pid: 10100] This is a multi-line message that screws up many syslog parsers.,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +12/31/2013,18:54:32,CET,M...,LOG,Log File,Content Modification Time,-,myhostname.myhost.com,[/sbin/anacron pid: 1234] Another one just like this (124 job run),[/sbin/anacron pid: 1234] Another one just like this (124 job run),2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +02/06/2014,16:16:30,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[process pid: 2085] Test message with single character day,[process pid: 2085] Test message with single character day,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,02:15:43,CET,M...,LOG,Log File,Content Modification Time,-,:,[---] last message repeated 5 times ---,[---] last message repeated 5 times ---,2,OS:/tmp/test/test_data/syslog/syslog,-,repeated,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,09:30:20,CET,M...,LOG,Log File,Content Modification Time,-,-,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,[kernel] [997.390602] sda2: rw=0 want=65 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +11/18/2014,09:31:20,CET,M...,LOG,Log File,Content Modification Time,-,victoria,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,[kernel] [998.390602] sda2: rw=0 want=66 limit=2,2,OS:/tmp/test/test_data/syslog/syslog,-,-,text/syslog_traditional,sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,08:54:34,CET,M.C.,FILE,File stat,Content Modification Time; Metadata Modification Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,08:54:36,CET,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 +03/28/2024,08:54:40,CET,.A..,FILE,File stat,Last Access Time,-,-,/tmp/test/test_data/syslog/syslog,OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1,2,OS:/tmp/test/test_data/syslog/syslog,3487956,-,filestat,attribute_names: ['security.selinux']; file_size: 1509; file_system_type: OS; is_allocated: True; sha256_hash: 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 diff --git a/test_data/end_to_end/l2ttln.log b/test_data/end_to_end/l2ttln.log index 06ac6cd0bd..04c73a792a 100644 --- a/test_data/end_to_end/l2ttln.log +++ b/test_data/end_to_end/l2ttln.log @@ -1,21 +1,21 @@ Time|Source|Host|User|Description|TZ|Notes -1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No change in [/etc/netgroup]. Done|UTC|File: OS:/tmp/test/test_data/syslog -1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No new content in ímynd.dd.|UTC|File: OS:/tmp/test/test_data/syslog -1327218781|LOG|myhostname.myhost.com|root|2012-01-22T07:53:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051|UTC|File: OS:/tmp/test/test_data/syslog -1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: /sbin/status.mycheck) for user: root pid: 31067|UTC|File: OS:/tmp/test/test_data/syslog -1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068|UTC|File: OS:/tmp/test/test_data/syslog -1327218872|LOG|myhostname.myhost.com|-|2012-01-22T07:54:32+00:00; Content Modification Time; [Job] `cron.daily' terminated|UTC|File: OS:/tmp/test/test_data/syslog -1330478143|LOG|:|-|2012-02-29T01:15:43+00:00; Content Modification Time; [---] testing leap year in parsing, events take place in 2012 ---|UTC|File: OS:/tmp/test/test_data/syslog -1355853272|LOG|myhostname.myhost.com|-|2012-12-18T17:54:32+00:00; Content Modification Time; [anacron, pid: 1234] No true exit can exist (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog -1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)|UTC|File: OS:/tmp/test/test_data/syslog -1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 19] This syslog message has a fractional value for seconds.|UTC|File: OS:/tmp/test/test_data/syslog -1384737320|LOG|myhostname.myhost.com|-|2013-11-18T01:15:20+00:00; Content Modification Time; [aprocess, pid: 10100] This is a multi-line message that screws up many syslog parsers.|UTC|File: OS:/tmp/test/test_data/syslog -1388512472|LOG|myhostname.myhost.com|-|2013-12-31T17:54:32+00:00; Content Modification Time; [/sbin/anacron, pid: 1234] Another one just like this (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog -1391699790|LOG|victoria|-|2014-02-06T15:16:30+00:00; Content Modification Time; [process, pid: 2085] Test message with single character day|UTC|File: OS:/tmp/test/test_data/syslog -1416273343|LOG|:|-|2014-11-18T01:15:43+00:00; Content Modification Time; [---] last message repeated 5 times ---|UTC|File: OS:/tmp/test/test_data/syslog -1416299420|LOG|-|-|2014-11-18T08:30:20+00:00; Content Modification Time; [kernel] [997.390602] sda2: rw=0, want=65, limit=2|UTC|File: OS:/tmp/test/test_data/syslog -1416299480|LOG|victoria|-|2014-11-18T08:31:20+00:00; Content Modification Time; [kernel] [998.390602] sda2: rw=0, want=66, limit=2|UTC|File: OS:/tmp/test/test_data/syslog -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 -1679888825|FILE|-|-|2023-03-27T03:47:05.830382781+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 -1679888828|FILE|-|-|2023-03-27T03:47:08.884385609+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog inode: 762256 +1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No change in [/etc/netgroup]. Done|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218753|LOG|myhostname.myhost.com|-|2012-01-22T07:52:33+00:00; Content Modification Time; [client, pid: 30840] INFO No new content in ímynd.dd.|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218781|LOG|myhostname.myhost.com|root|2012-01-22T07:53:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31051|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: /sbin/status.mycheck) for user: root pid: 31067|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218841|LOG|myhostname.myhost.com|root|2012-01-22T07:54:01+00:00; Content Modification Time; Cron ran: touch /var/run/crond.somecheck for user: root pid: 31068|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1327218872|LOG|myhostname.myhost.com|-|2012-01-22T07:54:32+00:00; Content Modification Time; [Job] `cron.daily' terminated|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1330478143|LOG|:|-|2012-02-29T01:15:43+00:00; Content Modification Time; [---] testing leap year in parsing, events take place in 2012 ---|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1355853272|LOG|myhostname.myhost.com|-|2012-12-18T17:54:32+00:00; Content Modification Time; [anacron, pid: 1234] No true exit can exist (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 1915] This syslog message is brought to you by me (and not the other guy)|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1364079678|LOG|myhostname.myhost.com|-|2013-03-23T23:01:18+00:00; Content Modification Time; [somrandomexe, pid: 19] This syslog message has a fractional value for seconds.|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1384737320|LOG|myhostname.myhost.com|-|2013-11-18T01:15:20+00:00; Content Modification Time; [aprocess, pid: 10100] This is a multi-line message that screws up many syslog parsers.|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1388512472|LOG|myhostname.myhost.com|-|2013-12-31T17:54:32+00:00; Content Modification Time; [/sbin/anacron, pid: 1234] Another one just like this (124 job run)|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1391699790|LOG|victoria|-|2014-02-06T15:16:30+00:00; Content Modification Time; [process, pid: 2085] Test message with single character day|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1416273343|LOG|:|-|2014-11-18T01:15:43+00:00; Content Modification Time; [---] last message repeated 5 times ---|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1416299420|LOG|-|-|2014-11-18T08:30:20+00:00; Content Modification Time; [kernel] [997.390602] sda2: rw=0, want=65, limit=2|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1416299480|LOG|victoria|-|2014-11-18T08:31:20+00:00; Content Modification Time; [kernel] [998.390602] sda2: rw=0, want=66, limit=2|UTC|File: OS:/tmp/test/test_data/syslog/syslog +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 +1711612476|FILE|-|-|2024-03-28T07:54:36.751357520+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 +1711612480|FILE|-|-|2024-03-28T07:54:40.393324534+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1|UTC|File: OS:/tmp/test/test_data/syslog/syslog inode: 3487956 diff --git a/test_data/end_to_end/rawpy.log b/test_data/end_to_end/rawpy.log index 34c10c51bb..e94ac7e7b4 100644 --- a/test_data/end_to_end/rawpy.log +++ b/test_data/end_to_end/rawpy.log @@ -3,13 +3,13 @@ 2012-01-22T07:52:33.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} INFO No change in [/etc/netgroup]. Done {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -24,13 +24,13 @@ 2012-01-22T07:52:33.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} INFO No new content in ímynd.dd. {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -45,13 +45,13 @@ 2012-01-22T07:53:01.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} (root) CMD (touch /var/run/crond.somecheck) {data_type} syslog:cron:task_run - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -68,13 +68,13 @@ 2012-01-22T07:54:01.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} (root) CMD (touch /var/run/crond.somecheck) {data_type} syslog:cron:task_run - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -91,13 +91,13 @@ 2012-01-22T07:54:01.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} (root) CMD (/sbin/status.mycheck)) {data_type} syslog:cron:task_run - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -114,13 +114,13 @@ 2012-01-22T07:54:32.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} `cron.daily' terminated {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -134,13 +134,13 @@ 2012-02-29T01:15:43.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} testing leap year in parsing, events take place in 2012 --- {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} : {inode} - {parser} text/syslog_traditional @@ -154,13 +154,13 @@ 2012-12-18T17:54:32.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} No true exit can exist (124 job run) {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -178,19 +178,19 @@ 2013-03-23T23:01:18.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: - {body} This syslog message has a fractional value for seconds. + {body} This syslog message is brought to you by me (and not the other guy) {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional [Additional attributes]: - {pid} 19 + {pid} 1915 {reporter} somrandomexe {sha256_hash} 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 @@ -199,19 +199,19 @@ 2013-03-23T23:01:18.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: - {body} This syslog message is brought to you by me (and not the other guy) + {body} This syslog message has a fractional value for seconds. {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional [Additional attributes]: - {pid} 1915 + {pid} 19 {reporter} somrandomexe {sha256_hash} 1f0105612f6ad2d225d6bd9ba631148740e312598878adcd2b74098a3dab50c4 @@ -220,14 +220,14 @@ 2013-11-18T01:15:20.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} This is a multi-line message that screws up many syslog parsers. {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -242,13 +242,13 @@ 2013-12-31T17:54:32.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} Another one just like this (124 job run) {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} myhostname.myhost.com {inode} - {parser} text/syslog_traditional @@ -263,13 +263,13 @@ 2014-02-06T15:16:30.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} Test message with single character day {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} victoria {inode} - {parser} text/syslog_traditional @@ -284,13 +284,13 @@ 2014-11-18T01:15:43.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} last message repeated 5 times --- {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} : {inode} - {parser} text/syslog_traditional @@ -307,13 +307,13 @@ 2014-11-18T08:30:20.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} [997.390602] sda2: rw=0, want=65, limit=2 {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {inode} - {parser} text/syslog_traditional @@ -326,13 +326,13 @@ 2014-11-18T08:31:20.000000+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {body} [998.390602] sda2: rw=0, want=66, limit=2 {data_type} syslog:line - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog {hostname} victoria {inode} - {parser} text/syslog_traditional @@ -343,16 +343,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:03.767381+00:00 + 2024-03-28T07:54:34.785375+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: @@ -369,16 +369,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:03.767381+00:00 + 2024-03-28T07:54:34.785375+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: @@ -395,16 +395,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:05.830383+00:00 + 2024-03-28T07:54:36.751358+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: @@ -421,16 +421,16 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- [Timestamp]: - 2023-03-27T03:47:08.884386+00:00 + 2024-03-28T07:54:40.393325+00:00 [Pathspec]: - type: OS, location: /tmp/test/test_data/syslog + type: OS, location: /tmp/test/test_data/syslog/syslog [Reserved attributes]: {data_type} fs:stat - {display_name} OS:/tmp/test/test_data/syslog - {filename} /tmp/test/test_data/syslog - {inode} 762256 + {display_name} OS:/tmp/test/test_data/syslog/syslog + {filename} /tmp/test/test_data/syslog/syslog + {inode} 3487956 {parser} filestat [Additional attributes]: diff --git a/test_data/end_to_end/tln.log b/test_data/end_to_end/tln.log index 0b45cfce80..7c8dec2488 100644 --- a/test_data/end_to_end/tln.log +++ b/test_data/end_to_end/tln.log @@ -15,7 +15,7 @@ Time|Source|Host|User|Description 1416273343|LOG|:|-|2014-11-18T01:15:43+00:00; Content Modification Time; [---] last message repeated 5 times --- 1416299420|LOG|-|-|2014-11-18T08:30:20+00:00; Content Modification Time; [kernel] [997.390602] sda2: rw=0, want=65, limit=2 1416299480|LOG|victoria|-|2014-11-18T08:31:20+00:00; Content Modification Time; [kernel] [998.390602] sda2: rw=0, want=66, limit=2 -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 -1679888823|FILE|-|-|2023-03-27T03:47:03.767380870+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 -1679888825|FILE|-|-|2023-03-27T03:47:05.830382781+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 -1679888828|FILE|-|-|2023-03-27T03:47:08.884385609+00:00; Last Access Time; OS:/tmp/test/test_data/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Content Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612474|FILE|-|-|2024-03-28T07:54:34.785375326+00:00; Metadata Modification Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612476|FILE|-|-|2024-03-28T07:54:36.751357520+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 +1711612480|FILE|-|-|2024-03-28T07:54:40.393324534+00:00; Last Access Time; OS:/tmp/test/test_data/syslog/syslog Type: file Owner identifier: 1000 Group identifier: 1000 Mode: 0o644 Number of links: 1 diff --git a/test_data/pinfo_test.plaso b/test_data/pinfo_test.plaso index 78053c291ad194703196195558bad8ed4b57a062..964c8010ecfb91e990fb3338e4094b55b462db25 100644 GIT binary patch delta 1371 zcmd^9&u<$=6rOb*JC4_OLP88pLmj785~+>XYbW+bg;0qfsvx9_T~P_lbTT`(x7fR@ zov}j{RgD{kLlF{Uq@GJcQdK>ab`hcis$M}oAW^}ELyd=VW?0Z$}>zoUP zlVfAjMwEXOZCpH-f}~AM26e;`q|70x2@PE!M%5rrs{HcV@;;}H8ZAO$9ntz@4gc}; zgR)hd`1GmHk)Ck!=uzoXl%eGY5fAed@|DT)U^qE5BXtZPrB=(q1Y*mq8nu>#m|>Y+ zjQ=T*_V`wQC^kQ0BlfS1J)ixTToSwTR3fkB)EVzbB>4`I@3;f~H|2@l6Vfo~1)a4} z@3$2I7GfZo1RyyYn$Fk_M6C?Pj$t#NnLZy54Y@xpeQ?{oI{mif2Cptk?q8W75_=LJ z%&Wn>AaU0nSpPf`dQl1jnB$4c)M3gj2h~WbNpu6HjHWnyA_DS#5O2%(g^YW0WMd)_ z0%M2YpW?UPdgtO=8bVJzgz33d`m{)_WD}e|mP%8G90sjwl@caw*`lJVd4by=Y?wNE zPoT2`Xjs_)Dlb6BRy|+A5p@*6lf!o@2Ly-zQJLWVmC3W7r>{jsH$+U!@j@<^(ia|U zSUUOU6D;M@Yw+~RrShrrsl_+a7x;ITgOQD}B+>?(Yy9`h3;&z6KRy=aLxt<^z`?oBLPrNn6)m{9)J*7FI3->o@T%haL4NR#qkwlZAVJ`@*x z;cA%s@UYyyuZWUcD}p!7`?sHqiFF{ltY!N=fe!N5w||a^hGqtawBU|^ilsrK*E}Ui z_t?y!!p1+_846?-{^8EZfo!(OukDOVs<`nUZy&VW*zRxAfZd{XXj$P2J zpoy?254B8O*ZmAT*9%YE)(UZGoirMdImqmesC)CeDaB21Px(xdQH?)yV?2a~x>f4t zZyX8E=ki5u2F>O*U9aXzL0=|?9MW<{1y@y~<&-n!SB@8ndHhVtpMF(Q#n#9cfEfKB IAIweu1FTcccK`qY delta 1454 zcmZp8z|`=7X+n}zG6OFI0|N(FE(8BI-W|MYJQsPixVLaKbLDOp6!^%w`8}sQBWDR4 zySSnvW25n82kxB75 zVPIrr0@6?blE}H(5KgFw1~ETF4^ zBuFO+Ae;;3gQdYTNQQvpf@ss-p?UR$xY3&Bxy40W1+(MK({(b79<6z+$j@ zt)4&QWR?a0CkrnunY?tN(d54iB_@|Ik`t@|W*A_O%E^h($SejXx5~*Y7QNg&e{me+ zWSONLY{~ig*_o-61(u3Tu3cKOnRnTB#?2fnCNoanx>9d53^W|(T3m~5V$Xl86=Y;GPJ;-+hnnx`8YT#%DkoNr`c1S}Q} Q4H_RCoY#)!YN_2F9BRPEYTUC++XZ=e4_bN)PSvIvAPMO0ndwUdQ{ zf&xmTN&&sga*u_~{Fs@a3CU>8kV{`ew@Qbj?WJ|58KqIJOsS$yt*3!Q_)=$S@*%vb ziL~Jmo>X=^JcPU2pU#GgG0c&Uj#o?!62X)@!04WOi$O};ffPvc^mhovxd)K^9Gr1} z&Z1^or_AI;|NVpu5lrPmb|Lxxahizp$2s_ic$2>WU9HKK2$7bcrsGASAYm^4IJ`T_ z&nv)}Kyn~>d6He60(^1)E?%BLj-_re3)6f*n<~U|M9>@O|MRAQT=TDdNh}#0+(;Ng z5w-UYsOf4bm~Sv>(}&X4RI{@c(n*DBQ*%?$Q-qOd>A~}c6coG^oD{smvF5dpBp$8pYX}PNV>*qU>1S}R$z>`UMB_tB22*VKxXgC20Ly~X^3?7CI@F&YF znVV^Rzg`ih2;Llyq1d~axaJ(DP4y3N=eBo+y@?C~izAazNE8l3#v)-j0$vHLNFpd9 zQ794$14E+!{&w`oLy9dZdBATME=)_`W(R&f77AWoLCU{=y(4md&_jM9e(qjQ-=CCX z-)42aoC&0knhk=790cDCXYmQh_pAhe$%^7PSshaF{WYt;)?*fbW@Q7B1hZmefr?Ww zv#wA;wV>~zU!hIVThI*XS*Q!t5{hPBfii()`dL#~)UN6B&{Dx6q+owv9AS^XLlDl_ z)5X(?lADI=5adU}`(BRx{C!C{4@y32Diq{*#U^#+$N@TN83nWtT2{^OeHBV8LrG0x z#GUHsAi(~|7bm;8lVl)2kMjO*;t|UK9sZ+ViaLUsW1oq)b|cz z^gfV(J8*!ukOFGLS_r1jVr203i-=X5-SyS5ll+K z4&8*VKo`Mh9fk5i1;HaM9N;fzhVRe9Dop|9VwDDS7h+`$bD^Z82*as>PjfW!$==g| zhakTks(zoe4W<4}N%uMRL!J=F-Uk{mF9>uK{7u0H-K=K6HU|{}KXdTzWzPU%r(hLh zj$xc=5lnDaB!M-zCgB{ET{I#+?r_FKsT4xBU?9L$L2iD^`(*=EbCPSY~Osf#%P&8 z>Hi#1WZ5@X)?3>}YD5~EC+0TB#-O|9J(>;a&z#l0F#fdec}cvM-~-Z`K5izg|9mL3Gd z{1Z%v=TjJ)7SPnLT%#wdT2(%@bF9zMJRv$*l&3jnmcb)(ZS^zeZ07jVlxj zo$NbcbJLiujm zk>1?S6|QSfI_V$0SgIK5o6)*@+s~G?|CJ?;NB_hn{fg?-H)lI9+%tan{AJZrcNwS%m~K^7b5NTsr)gN3q5Hw^mlJHjrUM^h7yn8~ahHjMRftEo%Se5m=( z^v&t35B2T+*QqKrD;Ivl0u6)XiDUq5cHwX(I1U3tfo;7a39E!clTbt=jPMJKaDa}U zBJ$i%7Dh&3C24x3-^-L)b|-MRMvzkB3OjFP{M%rp$z`(`m6GDnpwYmd=F)Fxj;Orq zfKz>_JaFFqMwQMd$LX-CHWlqLY2tl-O+Oj0Q-E?Zp|e#9{)R)G?kQ{hiP*s$L5*XddK^BUux;+KUnQ77lk3-=W1KgUx+ z8`JNLK<`_Rm&y6nw)MGYmzQlB)WlqCE9M=PVWoN*`;BF&Lt8xW(!P?_u*n-C-vRA%C2|y?kh&YrI0f~Skh$IXOjR*fzB$E*^v=R}6_ys})2JFwHY(WU9;42;} z$MzsZ?dtb(rk35Bp^bmn`GH=S-shOKuW6=spi|%CG4gT;C(n`2OE=Fu5)+G<$Jwn*%Llq@6E$`|JUV?> zc`@|-6ugyI{h4=Y?MOfADzCS>XWZ$C{aj@hnd#OQ<>K$-U$LIOC|D}x*(~++kae^e z->OubMvszwi%nO-x7F!9zjJosd10I=S=QomT zBV1259^x^;C?rP(UKwEZOE=8R_LbM5rED|09n-1bEfM-b^*WoRV6j|Yfxp|G1mj4V zMZzo0(bkQxeC*|_x}%2_O6Qqhhqjqk>T4Mnjw*6b=A3HOK1FAhAEPtGuypu@@EBKC zh?pnPa_&a?sS3+=t>pvzR3-tJ`gc2vAFqle0)62m*>wybc_TO#%gd^`z5^NL@7Vqg zG%^;UM8?Blia0D@Ns){s;c~$Um47e7!uC{c(P74!!}N5o$CbJl7xa zLQ{@;z1@Qs`vEYe?b%u&*lNBnrSrV~r-)@n*%#NEt|ah-EX z1y}8vDyD|7_cxv3ejjs5g*kGQkKXpNSz0WEU%JRCRh+0tm?Lqd=v5k<@|>LIut?{l?zMy3h?0;*|tw4I+~|2zE9D8UeR{_Jcl3k zpD-5iE?aYc?7(|zDQc#%`euK?x48`Sr)pA{_xbFueLcqd$tHkpHftl3fkAcQpdHmE z=eQ1lkEPr8Hw?k9heW_*umBMT$6!!+1WXYN$DvR-I1Gu!fj_^6c!U~+=>8`}qcIp8 z2r->g*Epw8P`WYyDZ7Pr#Y%WGs`ke7rKjY?XFBXmZ?8PMV{M1(M8DKRVd-?UF^a-oQc_PXtv?Y~7WGUi zXIh&m><6Z-tnBXb4`y*aixxdHgQN`$?AoVw$8%{# zWtGn9K49Hv-a&|s)G$Db_-szDHmbe=`ZVsCP9KqyTxhjarjhL8ncsz^9Owl$0=dMK}VijxYpP5rLT$fdP^r=x?hFI%zC@q9`==} zLZ8hm5w`7XS!r3>Hg(T+JaR@ozhb~Jx%atv?t_`3P${&hP^q0L)5{P2%d4`20Ak`Y zJwLr9@IXrapdNI2Kef~AG6xkiK^@H!8hey^cwoS@C&b+7Oisw)U% z*d)gtay8ammS;;Q_Hd7KDzni*7AgZIe;t z`Lr$z&7g}Ty%J9wXN}6gX8Q~?rLAu1jVVXpWRwP=BckiNNJQwk;UzXnUOAhy`=`3pb>2O#nwg0f0SDw> zUwu!JB=!d6N~cyrjR=*oO{az96nSWbtyc7E7)&CHb_W@kCFJ;L1W1QCeKs`LpE$=> z`KP9ukK?@eWqP^Y%(w5F;$;WwI)8(P1R$|U1fB%L5RpU#0)r(fk>D5<4v)ek(O3i) z^(z`%2t7sgQ4oz_@RcUh!(bQ2wtX<{lQ@sOX-y;dTz8R7a>4PFY&F4EG5UqqREmrv zwpNGRGIB+a-ypI-SsiKI{4fQt&S+-6`SPyipi_a`ENwV&Nahj~`^Ib!_rbFD4Rxkf zwzktcp53;$cuMKs41M5d2yjfbT;c>O?4Q4DAXC)PU7%z4GBZ}6I-7so18pyu?q-@( zAAP#cW|KgiJUt#;MrA2=EWnwfEhX7>Uul52x60V9GKww}=ctgheu0*w{&S@jA`H)- z8GU-xG_N2<4Sabw=EI!%>5(!e`}XB&9t%0_@wf1bc#|UQTLvyQvNc^DTY8sX_vChq zG0iKkh-@4kL#cC)E+lW0#p<|L7d*{xy|Cuh=It;kTZS|=CzvY2@85r?P%_8!Jgmp* z^mCfTfx_)6HaGr96LqsK9Uu6WP5E{hO8g&UH6%D{oYsMtb8=Vxb}dIk^P<0eyIZRI zI-3C=vM6KWR^3%3>TK6j7)v*neeE2D_S@_3wJ(x*@8Yy{7bC8Uvd$%9RQfW4Mw8@X z@yP9Tkp;s%qt^m?YKMP=84E|CNoX7qfdXqHmWaZ@VJHk4Lnf0BknwmWBAo1}?B|d3 z|1nigq+qpUZefyTxJb828%DiLR5%wHl3DEpm0t}6Y_ey~DWNgBi(#ULu z>mgf;m@-~7tC4}h+RFpR%@C94fKzkBAdSxygF@xjNDfBis;ZNIQ^*~CQcm3LnfU8( zPjv0jtGQ0jWra2z)vC6A?>rar&6r;}p!>>g#!=^h+gFY~uVpnHX-nE7Edo+sjs>OC z)V{fMz~^N!>7d8GlE|A0$#T3^=^k!x=K?)W#R@IcpE9m)X_qbu$c-wINRff|U8Wz9 zyXPsubgf_}CZxDuIpO@9?aGR`6kn!zmn?UzHz|0|V7&RB-CxgBw&vJA5x{voBdbUx znS7}-mU}{Z5;dtM6TGh8mN``n_@95e$-I4|t7)CXeR69#ZTpzm-SME6>aw&VTP6jX zL$YPvN_@(PZxD&Tesxw&=T2!c8{{otJeZZw)G&6eA9*gy3;SyFiG+W_<86uLmyE7#GTp4=V%bjC&!|U4z;&PdQ~?)P=&Y>9 zFE9;VdrGsbW%S|3xwsr*>nN4QOr9t)fqheSTb+{~2f2=@DgU($fWw==D+B*l1R_}2 z!3J31X9L{j8Uf=1*F%Eka}xmb@()b|E3^bmQKaeNS9h{>ecdhf--pKBt%;y-TYt10 zyfn$daBPx2>Y^-9BZpN;7XABpsbm2UE`$+sb&NAkr&rQiG%LHsSgDFWBDvyr>xm6; z;+^x*`pA0XH7WlBx;J!Lbpynl;^S4S^DraCtLlP-srXd&FfELV&Yf3)QSb7(Do63H zBHp0D_Onb?o%)xwBN%75-oj3Q;3+iOQ9GuRwIbBsP&It3Td|Gvq0=oId-$2M)U4d2 zrn!@FQ{QB>ua46R5-iV#=cNS|EndN;y(LdraOCqyI(^`vTn^`aQW?2ARRoQSc+_Ac zevW#RHS*Z*Wdwt(v*bcF6L49Zd*e&+i+;CV55gzQ={nWHGq%cI1xxcL@G4FPZj!*s z)fDyh=@}j!f=kFXks1MW|81&y@mouO#Q|3Y$1Nx%feb^T(PR=D0ghL|Dv5<*kO&-x zgdzXZ@P-3y-)G;zA8S-yo?xe_1?(T?58$%UPuYNZY(}^oGUv{2w!0p6o}=eh*~WZz zzBvX0T|69k>rkeqoAPQ&fJymyl=J{u^z58!*f+jQX7I`ek=;ANnnptuPg+$Il}(O1 z*P?7I&va<)e8hyJcYA`UF^;`-7wN+CU00g92CH5GWwLG`LW~!v_GfVyz+VmwYFwOk z4svwr)?CvtS`@NdEs{B3NmPNJ7+AEfR2YuzOMmGG5Dg zBOs%UGuS#a&J6q3+Iq5kT=bF}&GAV4R1eaERybbF6*?zh2+bG~zWac1rQj^}8f|0& zkk}9h$VMPXybU$xiC?6Q`p&*`NS8gwbT`e(rrD#HR(R6kAS2ZY?l*If-^uH(w|_ey z%Imzr{+>^@etd(ehIHfBZy?~5@MIzp0mJMKA7OYL5`_T&;lP#>OCk}8_+KFeK>?70 z=g*2^xVIh^bsJA&@t~x34m5u&X!g#m&-o%9zAZ-LjCvef(7XX25?C@&ZD}1T`W|;15TKM(?L3zIj z>tpr`0JNipekgQJn`83T7~eFi8|{9B|!e_C|zMY3An!Qsf~!gmQ* z^=T5q=RaqaQfW0|XPTeuUi(~A5mY&%TC3=OIq>xR@p3bhU4m^mP=A^Jb1b<2@#aBZ zT(%73eVhBf?b%lHkEnwfN-!b`M?m3z4&J}71v0XNjS|51^X30p1MUwo3Uki9 zt(k+CH5!-_FWQLHgyVZy&9_$vJIivY)mIL`@llw3VSSah2L1N(Y&v%RH1TZQ;fQ%S z>7azB-$AefJil5&6`g%QGeb$tzh7l)tua#!TnyYv-dz+Hi`TtNbEp3u(U09Erp5$8Q-Rq)!U^#y01QDpbI0Enunl2>TcAAAb1VF zer(ml8Fo`SV?0nilzMi2v}XK_(Klf}zxX8ADZ zTV3bXo6kgdiEc^>_x#n}MTgPdD_R>7K_=WY`dd~{#iZ?=t1b;;aY@2t@5Ck9S~YV2%P;%~6E8 zHGXf5#~G@c9JrRJn{#1JDW2CtY$P<0DO@kcZ1Zg3@R%Q7epTK&$K7D5S;%e#{_sNd z6BJ)+412-7D5%`NN}LVlv&X|4$A#EkXY||dHKy(@&Z@oKHw`3yP?5BOm@`h6pUo93 zE`LL^F0RIBzvlgVIIUW%^2F*ozQkSZl7X3-Vm1$aX9@9b{Mi%V$nHuemSEBarvU#6 zZQ|GjVAi2A=yuu$tLXc9*Lom=HaHI*53Dx$0rU$AOPoi}@6Qpk5DeTivZR>EqSN zbZNYxc#=&NI$B*-UjcBiYFhpeNC3`50ghL~W8owcObKkWh%f{JjYp!8P6mJ5?K?cY#+Os%E{h6;>K*ck%AWn0y2`v)nWJhwg0-zwp6f~mZIBtU2h zdSoVUwmFCb;g~ERneoxkyif3ySLN{ec1xPH8T0&oWfkq_SC7H5XBNaf3y1FU=giOm!iw5$QFP_4+pQEa!S2RR%%NRyiAb>5%%09NS zJW6Et@EL2~R&`9mO!M*DtR$uh4N4z>^k)#%@D40vkyG0cekp5(Fwu1^_$0|r4t5b>a7 z!jlnXEP+hMfa78C2Z2D~!K#E-`lYXr5M>0x?9Ft)JHek|fN|G|?v$O|L4>!0Y4753 zX{Yp<1BKj++@wQS_4JN6#6@25Q)`Po`>LimU!$VBv3=xXf&A&GtDPJJJOs3By&y_o4m5TM=oK-NQju%PhKt@=-zA=0~d`l$bHoIn_2O29>8a zNm`)9>J|dm_dm5r6`rb|&5kH6avWL=yKZ#hs%2Vn&OKm$mx_M>u7Kr%Qe<~<6Y5)T z>cjWz2J%j>KB1>38bpdcx@m>qkJuZ}`uN&PKY1s`vHA3z6HECP%Axw=K$LDzZt({R zFY#biT;MuYl3B~|W~vB0*qD*gBr=IWA}T5o(PVH~fFTh{peKYX;z&Oi*Y`#RRh`sq zJPZ&c3RY+4*Gw!726UHb*{Cm2EmfVI@he~TEXMtcQ7po)xpQVK+FTxkoDVN#Jig0UosBQ3Z=>T$8n}c$ z3R4U!<Q`efltwzNGucpw*4n>S2i;mR-$H3r{}N;*m}iM zdSflVQ$+oXVni{0^CcE}C0q-EX`vhFlmq@U*HGPkr+RT03i!Y9yc_#aQ2j-EA z{=Bvl7>iFz9aE?If=(IWT~Tp6HF0}AR_nQf=H)L)8j%prCu0oN9U>``Eoy(QYl`0~ z0)KN zSo$4!Xyny+g;Fzh~m9Xb?mlq0L)JfWcCv#$AVM4&yks$fJ; zT}1rE`{D=P@U_`xI+jQG5WsK1{8hmJ5B{AWJ{X6iF1pNP= ze+PaF_*fd{$%x&JV zGzV%3>Ks+S$OI0k>yg%A7zChF(z&DJ)4-5?ukYM@zv0Q-n)=f=X^Mlf;~A|p1ro#9 zC{Lb7v;;!Gof9gPv|Ahe%5ah0~V^)I)L>=M`h-!=#vOrj|_}? z3JL2ToAbaL2f1I?TW=Oe%62M$G8hi^kuYz0IiR_w_qCI5Y-E3kGzxHWdID2X-D|7F zZ6?9`1Cw;=~nBe3mugm-dAj4UdIM?WBI)M{fo2i{sPj^i;<#)%Pz9 zzmemPGaC<)?JvCtST{|}KUHq!FjVcf_`@FA@{F#?tk~E!yWVfTb^XZVfU?opT%b`B zbjy3IoL0`X?a>ohPg9Pq??=(p9?V-v$Ifq<{X_o_{D*+&0qOl!!2j?0ci@MBZ<>yn zr#|=ircGGJRdC9ZAw$qA4#)V7x9(i--}H z$qA-6XPm%Toawjn<&mKV$it&Mi<1#TFY2a62jJfhadHHIu&f7YL3f+ED?rz6_Zx^m z1^j>K-?>4C|MKrYgDCbGj`g}^fH4&JxcQ>(V$~fb$vnXKAPT0~oxLE6;>;0)hx5kE zW5@GRcBgym2TDf|8v9-d^A`Cj;BQT^#5pk+%Cp74I8%z)A9+HhLpaD^b)0Ia_|UZA zd;YESR&~iXVMz(KJTG0}x|hwZ?3}#a-=cD}-@(;+`n2h<5Jlv_?%xE~bbcE6#XSSh zFqqBtEKxMiUm*PG1?NKrKPb*aUA28+71me90@G5UJQ=ch0=fH~Uu*1z=tThEUu( z9^g<$e%Xh3rr;KL^>(dk8toNjHGzdUQH9&>+ap%D`pe5c!nO9IC=&1OuCHnA`}F8L zMWa26KcXn!?51M7X?_FofAsIb-wAjgE|8+!&jH`DJ^#KJ$K*#-L}Trf(=0XjRG~+K zUP}taCSzFkoKz0RP@G^2&$ZqRJ?CSu5R=whCrzs2Xk$uwvzfTi_dSfM)KUFi#{r(# z&U*bvVX&m{jVREI3R*r^-F9TF*l6j-eMA;(gz7ORt$XJu3a(6sq~q-6^TVx49nTCV z$_C1-q%XAboc)l{8-t0{hlsMYfWfvUkEL@8x$b&RwQTD zsM05VdzL-wE?z~;#5B%-`IcJ{XJz16Ya2~fC$py^a9au(o7cQAr4EKLiF^-Xq6&?% zs$wGw@%e4xr(QZfgGa*Wbei2n<2P2>jLfd5JQq|bbu(OkM=s4O5`S%KT#SE`S1=;|Na;K&Iz*lzoXxQf8^gm{oen-qu+sl;@|%l^}ETh{+&~zKhco>xqjaZ zY|eCGhio%>l8C-8fg}eovOUw10}{gN<>&BYFM@xFAIUe+g+TJlY~p|%hT;frPQG3N zoVy@DO!uvGSMoJ@cI30KOj|H&E1l;e`}K*#CHFT!1IRnfU$X#PLHg+}>V6Bws&glDoSD z7<2FWWAj7ZeSU~1gw=Cz_r~|M;Hz*-72A}cC4kQ#;#a382$7@~#V8>VC_G$|fCs%C z2~GqZ5fKg}lTk_tG+7CaP7T}TlK68oL|^&&@;!r2N5e_M>dO3*=^(>ZdP&;rG@O+w z+tfe=i#S-f{$*A@!}rW;(Z|b5a+La`O;vL&8SnUdgg(M9r)SjA<-#9s4i$9m-|w=! zt8$^|QKlxna+0*BN%eSoYx^_JH8L`+*EuyUq~N|t-YL}rsV>T6#CIS&Vi#uYgX79XUdKFjpme?nIfw5e{BGEB7uViYQn1690(|&kR z=Bs=w7%n8hB70}C4!8XHrEbMmXm}884%^!BlHAyevC3XN>?gl)d9Vk4e2@X@(VFe+tOCC?tLMbPdDYpUUD2Ofi9dk(7qLqERjm45GgpB? z@2?KrM^94kSv|>Gef#W27uw>wS8xFxHNAAUw{I82im0%(3GotsN7NmS2Ew}vvT}ix zJ&$puLu8uOnU3*J%bg^c#mf^j;x=hk<|LMfFPK8^Xf{fA*Yh7dvwV!hWA&084}5#c zREg$oDAk$XXv4`)?Z5|U?Ih5vT6~JJ@0l`9d($z2w~(t=?7+x6zi^vKDwi|Y@qZvY zSz1+$dLTfsVP@9x%4&n;pwVhAT0ji@W84|L?i;5>GOV-V2IUV9EeK~9?4n-ndpGdI z>m`J~2`RgpH&Je~-%BiI$z9?e!?m{d9k-@)*Yqmi@yyAaq#Y_aGp+KvCuvP=zEvvo zNbUHI+rMG(JFg1-tymTP)vNv)=Pxj{K%X>Qb{9AqU}}C{Y~RKG2NGu)`rB^?xARH<@=fme$P&-jbQy`gil>M|S(}_3I!|e@a05+q zxsvM_9JX()YYel88Zo#U)IR+>ak|!il4i~_$F){EHv8SDA@RG)qw=onnfzx|AE^vlE(# z+!NflG)8%H#EeSAwVxRIzvvAw7`+kz5b%;G{fGN6oSMHXz>iK)Y4ln$lr7!G${n*a zr1ozL+kE9Va(n&x3$ic9cY=$v+V(8d7mia)OYB7-2YO1@PUb(VEnL#_&pxQR575-9 z--7U-DE0i!%l{j%3jAKIihym>zr5<6f&e#JjNfb-SKVMP)F%sl)DKG~~} z>JEfgcl(?H4uF9LmfJGGf^Zi!?b?%G=_`{YtD9wbqnbnZOQ@kfn-ohDE{-JAG(HQL z8Z7Yyl@?e5`~*_}c=y7mNjC@q0TX0U;;EIHKS>-KF~;|p=m(4X`3`4|*GC+XpwqmW zT~Mi1cAX(c#r+0O$I|bjXZvGtf0lN7j1Kz8_T`zO+8oU5BEWd zCfja|n&!fL5H5_&49}m%jfdD}nTy>%`=&!A-;VOQ{Z3mmD7U|?oxJ|Yqi`;6`HWLh zduGvEwQlG|)!kCHXls0{0^nv_Gxs|lKfEgN_hR)|ueuN9@jI_74^Vw6_V79%h$wFL zU`a?ro6kO#ectfe^O(Ddc%NFH@ao#7Qyrmk{Zclm4-|DWgW|pNao#M=M0}+5myaSm zM!>)w`7oU0zWn`(^tAy+#Nj7;pm{LNd$rS>`#4DVE@c_lt2gUX8U}9;mDdZt`b$*)n!Mt+-YACAke4YF*Qlh8wb+lMbF z=Jkm8GKPrWo&20tSvgC)QJ@xg)PhMnDM&mt_-2#10A_JvSD4RySLmjxxuDg9j~Na9 zZtriq;}sj-?)zqNB91?z`QcS7etK0Ay&lW|^s2yjv3lzf?m*MG-%$Fmys9t=>A&@= zz~772f8bTO{*S#X@b_Z%|A|)x{$8y9n^)aZXdwTF&wu4rg+M<4=~cm2t)A%i>{qec z^j)k*cmJnXy#c9JSSbr8CEne~|6cvI{7n@f?kyxBR<7ia@;#Az0|?LuFkx{Z72}jqp)OVZtm6pdS(t##U7RP>GdC#V}V~? zi;?pEsN+XX7>wR$i=TWgH51d(I?}c)S;0!ypVM&q;Z;SnmC6FPRmqW|Ynp)EN ze6l^U3T&$%Cg;w5_o{|}dR6;hyy|JTsb@dEsxatPv3p(>_%2piL9uGBU{-sweCA-E z@1}gsevi(!ggNdOcE6S=+ToYRt`3DqPD%9n9%#9!aq)^*N_bLd&WFXwrU|Hp+*8Ki zfcd9hl?pU=HIRLjf*3d)4F@|ZBt{8^z@QL{=+M0lx_t@f95Q_vAOe}Dln}4~G1WUt zNbJu9N?^1<0-*>-ZXthUGsfmo7fuCXX8M`p?{D;s72^3nrUGvynCS%lB^4Tjf+J8E zlp^fM-O59EG8do_u1qpJWaa;#nf*fBu{yBQ#}I79p_1;8~)4Y^}aEVM|VXbv@qJ26i_GDm*C#xC#*miFSw05 zTrv2HVZw1na5$uS8~@--0c(EVtUgqH*o-f%g3m^VMJ(vHkaMZU<*uAAR|v6<-jR;r zB_6e}`a>vw@%gFQC(`h96CyK%Ek!0#;UTi!kMmF`5OL9T)z)WI{p$l5KQLJxJzL_s z?CQ+Z_@Vk8rVslnjBnt8`;j!jjNiKMr23p;_Gn^5wcmj^-!f->^5&>&G}J@Gc)-2f z;jq0&>tX~~&9s1`cq&EGu2iURtU<0Cj$+- z`A*ztC3%eEo36%lj9KnfUJX6vbUEMggqFZsb+efjQZ?)4sQRe?3>WG#rt18fi^X+I zjq1-d4s#F7U*(^8{#XsanP1pm8o;F0JCY?Mbgw}<$j1(tdDSv2Qhh@`px6<@_WuFy Ci%f6; delta 14057 zcmchebwE_z+V&Y*YG{z|2I=l@sgVYW0ck;ycEivqFw!6rlF}g|B^@HEG)PDaf;0%< z;Paewp3~?1zV|)+HSF0d_BCtYzqQtVt)L+Epk=fKS`b+xojjWj5-t)F5*V!+3EY6& zh--&4hQooag!K`N@(v587se8X9{N}GhiJ{U1o*sYa7i>i5E)z!hX@{w77rqYZ{xgG@*W6s+QDW$g@o;`_uC z>SAf*=4$6)@8x0T>EP!2+co$W4mH}ZZ{gUuGH`Qr>{>hAWI_@FUIBiQ+m51Qy+p#p z$DzZv#CnP7Qalz-urw+O5++hG1RWFcy%rJ@84?i^88tf3Jx@0`XZS3ur8U~=OnQA- z9lsTy5R@NLlQo~PpqQwLs5MkTfLFxM&Q?g!#zs`w%hQfq6k?$8*xBld8$T~UqES9R zq}#%ludjloQT|OcHn(>go$TA#*+7M?MQyG4>=5-@30XmTZAAI3MQy~a5e*9S|MO;0 z$XD~h$fUPV1E6ERcR@T3E)p3TCGuY$$A$d~=53eKE*<7-_u2J8jEILO%*O!zDi!#L zQb>O&HNxfbTdCoykBCzGASOg9d|WUC5)R%85?Bem1pWc;1DAtSzyV+fupw9&?*xpE z(DxG_{6zW{G6_1oN`{md4Mhm_kA6F3QdAT^5Y)%h!^-CNx3u)O@^E!Qp-PYUI2go&LwCe9@zyKED@_N->=YfVls5~xtUFsqL z^z@nROfV7XztS!7f6}ji(yiM8j|^r*0>1#WA@rjH6FMTJBhe!T%h@?NLoK1Mo*usN zYFAnKnJWdMBj}%fmGlrDy#@(vj8}uGq!8~;FcUHsqUK;Zc)6=0qO2(<6X>rlm?S+$ z#X$z2AZ|hegD=4+wFIxWz(lyDi2rf0fAtDa7zs>?Cyc0&0}m_M8W{sA*h&IXBhB;9 z+uk59f&S)FO~O1Fbpsh=1HPO?MR@xG4N)Bke0kdn5%?0(#y9ZoXeJ=LZ2=o;1PKp{ z3&w81Qp6m^c!*AmI)f5{%!o9Sm{P#~ zkzXyOt9{FLp|cQy>ts4~`kT^hwT>bv4Em){;N4=3dhu^5p zN~iJFdzUi{ISn!rQ0WdxV@=Y_3;35f-1oxNB~WJzKeQb~U%|Ut+w1dB{@C~Kj3c;UIpOqwwP*j|HT)owCY)E)W9eY%9etr~4hJ@U!e z_055LBva2vQ|jbc?=?WEFtQ|g1efZuq{=nt==i337MP@mfmR{&0g zodGZ_EQGAex3Vs{hVbHqSu(FU!b|Zk-ZpqoG>8;G70^ngM`u_EFqjKDOE31Gyn?h~ z<8NerjCUVNesg-`KBrd9eH}oi$r8tvPpHm z(+92VFP{S}BqymmkI13e)mo2RISgBln=5`mELPi zRwgPXqu;-MLkpu}?K{I7cFD7~oZhdqhU`WQ#RO%81s5ESguk=A>mjmBm03pZm4e;B zgOHiwR%WgHUA#EqH|mo_s#8WSANRt8I9a>Va{INUNMEo(R^qiLt|gwfI6RIdybRnG zb<GE}! zo9{8w?AMduI*-$i@W!>5dpyhys!AJ%(A>};LNa`(I_lC5jne#zcj;JO_V4=evolDJ zDu}a?wFxRc;+k3Rydz=8nU5{PK-srXP>%OOcf3+gcNft8(wW4+yq=)CK(cNY7-7=0 zxP;w~9VJ<(Pf%|e+q0{HVI-g3J9K4`lVPe|yN7;TlKIEPHD=6t zO=fOJ;tBS={i1xIITi6j{i|5mpE~KofwLK)eL}rV8yMm`%QY$Xv z0we2*_$!Z*lC zKb58suas}!BdRbi!>HnW>$n;i9yk3_vYbj}=yf@v9+{q#^Ir|!^Dz$PR=7NsU z(84FnZEY^M%xEHzWYikuNm(5co3AGV(!ps2p*_X%C+_6+GHU=v51`O zn|AZOTb6n5O!70Tuh*Bt^=;rYzqN=}%c+Oy>cBN_c)IZ7S{61&Iu!tl85@#;xuYQ@ zxAVyg{EOs7@Y3=HnQ7NYtC*^o?s9DWaVq(*)sh=S?i?&so3iwVndbcTkH5T1chKr1 ztsnWs(ZUjaQqMS#djFwRFPEXF0jqEC3P{QU1y$+?r&nI&=p&~_YwwhZE1(m&SUnu} zM*3_uE>vK$JoA2cIG~NoozId~!zfv&B6_7puxh$Ib}O5^yPFasQG!k4{zv2e>r6Yu6xi!Dugi7(ci*MLy{s90W&<7ZlKRq1ea&tv3*}`?}uTo z5Vgro{*^QDE!eroq1_jGOVzC+dMRX#}~Rq{Qppw}HI z+8uejdVEIc90+(56HE=^x8l+!@)0yD{x8en#_^&$OFM%cdcICP~`(DU*pWkK6>d%iU(0 z!uW>d(bG8jOZA`HYNa*jEUabya`x2PU_%Ebd!^4ZOLdL!Vfu&#Y8YaHikOtd8|;Zs|>+aGj&K`tIq0Q=gc!-ilz*i?Iia z;K)S-#`pOTq; zN@5Z|#G&;$GcV}UOW$6}n2dRnWb=)qLG55nlZTGx!jMHVb z(Zbknqd`*q33g5W5zQx#B3AA8J&VQektiBG*pi0Lor#!AJ}o(K{Ys*8BA!R)9Tr}- zh9c&9woNScJLEMSuOxj!))>czj}k@H~4LaC$#6A#KC_K-p)ivqoV`Nzr0VHIOGs=X{CW$QR| zuHnSw@!ul_$a4=UPu7|^{koq?YG=JdK|4wA6eWs55k$^7p=)>iT+P^E(O541D zNrFuuSv_Ltth1(;w2l)ruC=O>p{OK!5<*|MQ1&%y+Oj{4_)`mz(L^~bR9;g_!re*a zrmR^Ee3jW#$=s)fJBw=kT5*Fgk?;y}Rj@Cyy6%Kv3ZrMCDWmKm2Y@gW6So1FJL#YJ z`d5KoqM`FIfnJa%F6CFCue*s~;OFC+zu5g1=nHQHy|`)FZU)=z+xW*slEKI1wPt*} z*=u)W{ErH75rMvPGKxVyzx+$|f(atf-)!Btvu~4X#DiDRPa#`!4FjKsH--qwen6{3 zA$QhG*?2TiV!jQgEzZbmzSD*L9_huI$QFf^cvGCeFNgjf>AgroEQt!T$NUZU;t~$G>c_T+MZ<@w||c~FTnSAZ*i8|rr-7dPqzOK>x-Gk!L8GBSVBa~KWj7FMK)Z}bglOpQ3Nr1)NV z|L0OD>fV`pQ4rJY?iud<-nbOZjpR4H0{<<(p5OBI@9_%!SNZz)cm@7Te5JM---SVl z5u)?_6<&c@Owgf%D`Y~wwIH=Lm8}NH0>*5^=&wfkcYNKT5q&Pq zRI{`#r}rCbW3Pq@()gWaP~O<1f8X34r6p{rpHOv@q8N*FT{yR3o^aEfJ-S(DMG zhkYqlz96h&>iogWyMCrLo*5o*{at_ddF)$c`pqR9NjY3VnaWkPFZXk&cTTS}O)Xc< z42K=|#oBrBqxB|Kt$TG=o9Jocv!CRbM6kYb9{V$w3{H3@S4nFuek7Tf)a*J zCX4JY*Y818RIj?r)&fG_Zm-=*k`C=AU|>$Nx3i~R3_#agnRZ|gS?6k$-TmMw8@R>A zVdF)c^+8ovyN|K_*%T@CHK61B;R_qczud%uLtfLRe@*fFLr#Q>du8ce!TvZHZp@CL zWwLyzZ#J_oqz9TdshhZFMdhSRR`Pt;0BoS!lsg!Z;2`))o+Xf`Vv49L>oFvSLN?DK z{e0~cg;EgYo42Vq-tZ;L!RHfYV~h;H%7-H13O@|7gkop{7lvz?p@4%#9+|^~wWH9Z zUfq`kdD9+;4$ack3E$c2ZgNFLUxv8GQZI(s6Y6O^Ex&m)$fi-tM&`@XI5;T#xp<7# z20nMWPBrHmPrNB}O}N1;zxru+;7O`y)K8x@Q8|CCVT_O%MPmO)sFU9;p83l}6&1AG zo1MCDYM(mMhtl;L8CC;wDdAR0{78C2ahwi>Bwwb%8KX~&q7|wo60q50Yi|UfNYrtf zKn*oaU}TH2Xt{fFH;uF|uI)%~c|}cN>I8^UPyTCC>G*4Fis7Ab2|yttY^yuF_{x(A zMsB)lVvrIms7)ciXQ8I8ibZO)A1FW}l}$9VB}l)a)&(RPGH}kNfB*0Zxnzum{fDCW zoOG3std<#)ob8_JUOz*u8CGS##RX!&udIELb{p@Noo4`&2&$;%Tk|EGnGGYu*Zof( zwQS%L=b4>OVG~z-An#l$E-bTRD}}Znt!ZngyJ?e#GC2qqcl6qHZ3derD4$=VRtl{U zubG>>J%9q)5aVilZP_ti|9Lxh30R>E~iUn#C9`>3w=P2;^j#5T1dAPf{s z07108+fv=F9la@GCD=}5%Y+~&n`N=LF~h`0vk<-qC-@AkrKee%(U`y%`^&ujHX$^` zit{s!?CDjxBAKf^$HyO$_Tv78zAYB_?0dvHYXge%!rtk9X&lh=3QZASXMijU#S1qP z`$iT#?T$Stf6fLXzHrUK7xs3g|=2WukP&+Wky(U##!`=a1@{Atg%aEHK4XlF?T#Df^ zAuvKg*INaD&Bm30p223c@g(UQg$`OeVa&L~gU0GLNyKI;WD2lnahL)aX0Vt1zi#QH zcl5nPsu{PvH$1kFUii5Jdc@u1Y!_Nw@lhfLZ<620mMVRYh*0G{`a6;yiF<0-U&wCg z+hZgilC#Ohl|1l)IGgJ>2I#Nv43cC9v_35hQ+R7M^LkDyE>WtNi5gPxStzI3ew7x_ z?&-fA`Kfl_1ZOZFTJN{*#3UO9lthfdc@quN-G1Q7{wjyrEf=_(p4!ik?sv8w8D3%INgm1l zc*bqV@^RgDZIIpWtM55?@5IcUJ1wUwOy-Sv0 zYIum3neP?zO%iZD{%JJod|n=fAHW)bEtM8yzfUFl`o#-oX&!q2sf?d>d% zXJOiVm7PId@)h4*m3sbm^u-&6du}y+h?Enj^yIP|k;6H|@yo2;LBwLr zxLaEBrDf^!+!XSfp?hVj^><-rxCk{Rf2sNBM4rtz^y2TrE|(~EseDSVPLB%eN&suJ z2lUs!Ugao*OB#v2W3lR#2)uGFVHRJT_=?TDOA15FCb0vB*z}?rSe@WsXW**jBLxV{k>xo`kQFUK2PIa0y@hIiy<#vp58$` zh5^`6XxtTYvuN--7CG72+%8t_2H&{ba8;##Gi!62mYZ9O9+hUSF-)BB~F z=uyi-;Z6?~pxs32ZFBV!uCJ(vCkHj*qh@nc!Hr>d0VQ``#{w?0Qge0tQL3es`eMtW zBIEYQ#;7$WyuR;9wkB*CNyqAnHehxI|@kztJs#zscd z+|*+ioIaYOSTOV1oN7j!YTJ`!MdOUuC5ni&i0>?iC*O+|U5|4Vs7CJ#m>~{AVZ_V; zFM6#)&ZjR$5JV-|N9UZY)dG1{YJ?6bv87KSQ-wNZ3dfPUdM?UcBNB7bs z4?bn^XTk!M!J+pT3CJVphm;T-8opgCAnFoyOqQ=ErK+G@{X#YB9}eRQz?rdSKjji= zH%PZ0-!vS0tg})o&t1JpT2{_ec3ha^2XT&3eo$K*fsdHVW(wO7eYwZIN?v}WNBoM< z_8rR5?vbfQcGKON8Bf|zb#A>|dn5WWay}8(GKv7+4RdZ9TVXYh%4FUJ*ToG%(L#IT60RW;Cjj)A=(#+dwv(w7|1-d zO2%N9T#XK2Je>DV$2MNeTXRc}`5>Mh^SnE=n4)eg@hR+m(38Fkid`tHYmQ#Kh*qhs zE{hu}Y1L`)*CJD8mw7^}$qZXZZic|NjmBIcWZx{=nbkpDUTjXoGbdUB;M=;p#Q3x5r?>lNvfE zwR|}=VH!$h@H|X#aEaBYoS=wqf7`E?W9Q9awA2&i=7X z(Q)41XBaby)%?A$ItXM;)Iu}hu^nQlo49=nJ%o!zZ>0g^`0G8_s56>f34HV$PCLT+ z(a2Sj4Z-^yM++qELr>a;*?(AW0Wr?|?puwr>r1b#Z0*g6q2fAk6JY@d%{>D~CN!HE z<;uxs*GMaym02)JdIY-yZU^)~p?}RE>8}m^0sp8$_oYBg$?6tqty3ryPM`T_Qv#AW z=(p#NgI}Z6^A zEI$wviP0o8$hd|7W(ZU1X%ZJHBG0EUiuO4W#a}SR<#S%l?%5o<6yQOmCzj6Y*DO%P z=Jt7K{f&`5G-cm_H_dR6R>Zh8e)_P`tYC1a_s}l(8!sCVTyyb*~`K~^sJYa z#FxP=Jzhf1rUh)4ioofl_sgP)Gy0_@4IbcdxA+B2i0&WIKPjofHUbe4obf5NR^4p| zeEVM#mzLg)XpWcC{RRHPNHv4D9})0ZE=+B+Iil`ywhAq-{3ydkU2Ic@NR_^2Wr`2w z_Th~7wn)0_x_51U0I==_Srwq-7Ak-7I$s+cU!N0Snyi@rni*$GhG$;g!1>lcjR7N8 zO}vzHOEVmDVKCs_BYvJVY79uWtqeAJ|7;}}sBVNpg_+Hh%&IR;3JldUG+P0X=azD~NJ zogkc?Qj{g5@}Yu#{mDgoOaJvjcCxST$IQRc-ynQdwU+RL;!pGsTsyyo|Gm1al4Y10 z?LUCO!(YLF{BPh7{1yG3Zs~vd2l{XSBlJmJHctrC?&d$M&&ym#*-BR z#(6^`8VLBmF8fsGW#PtR59S+CgfPNOq7EWxC(;5$jpCOh**%w&v*V}6k`cBOAoa4i z0qimK!u3VdsO>Fyn%b9Aat1?0VnI;5q_-> z;|U^qW3SydN6;e1fG2aj`v!Hl^{a3~Y}MON8(Ydobo)8U7jm zLcic|@EiPrTlz=;k^V`y^nbHePXRNd`Fr~BVC7@_WH$T+%?_n8ycH7En>DD$F2lc( zZb7S7`yKwwzrnwO#TWVu{_=l@Kf(s_vI=Sn>gt!2*PtSx*x>*M8bja+IWu4KTu)|q zoT@gUmy%f6Wp-he1)vy_>^S!oBN2Cp98kFx!-+(i8nA-t~O78Xp z${x&>vVG1pdB9l@iQ`&d+okWW(_JY1Fs*o|F(j(I(=Lei2Nw>!!X3F!+6b*4pYA#YGGQzTR{SZm&u2@YbbTir zGn++VOa)Kij&7|L-l34%J<^sJfI`-4TR6gQ@}^zuylOB+@TI$!f}8JN%W#-M6Wf{T zSL<4B`{P6(BCil(sc~%`^2d8dmLaXX-QV=LPYczO4U`V;K>oCko;5??#G1lF#C=i` zY5u&07EYKR6=L}QI~N+@@FyD@`X6m*FVTOup-unnKil(1pR?)zvkmPf!iJW9YeS>+ zoTb>B4k1BIUbQ|N-haaSm@&yUcos92nKYAx=d*u+RN8T2iIaXsS)R!Qh`FGHN04ld z?!=&-d*s3JJ;B5uDjz^VEOf{Jabk95T$u_Fy(#MrQGKh3zVp6`28Tnb0)uE?QXp}$ zLJ*5@iSK={?{dFfXphGHR%n`MS~K?`FXMezTQJ4wKDBr9+f>es95LH*B5#Q%cq~L6 zZB@aI*k0fCU!joaUkmk-Og$<%2zR2vAPa1d3F9Dh^tvqICO1Br>4X&E#(A%e$Se%mrg>FcxfAvnQ=eo$KV|5-AE=NghifJ?fH?|xAYJ;{m!~o z6qOuw?n*Xo5%;AV4E(|?Co^+(ea0w5Grgts$E|%#EBFnLHnqAV$)?=%O{3)mrSpk1J+a$N%SpNCOsmv;I-wDot5I*nRiHJe zbkdl^GRYtsizCy?565VLKY76gCy*Nz>pQh=6`R$#5&P!UTiMTa-ADYqaU63q76kye z!rO9`Dh542HH~i>G?{R>6S^>xdu&BG_E^0#b~g{%``tv<((%J^AVwRIVXr!ZNs}Xl z{MRNGm0COfoNN5J!+R*-(vz=p`n>`Lk zSCN%RWZe@}DSnxAkV#hBiQbk8Gr86;ol>2iOC%;;kiOPbPc$R&4cx>$9U*)aBdw;y zG->d%`Ybrb77Z2U2?vz!`KYRSPyDkf_kP-|;(Ij$OBiW*A#dm>aoiew6W5V?cuY5d zFuxv+d3LVHaKo|%VNP^=Z0YVe18Nb(>Yt2Tfi~73zLq;)kd4;0`<<(DWIpo6poA%5 zsP~q{&}b(_YDZw7>O;@?)MMM`-enQ~X~5n4G0X$^ z)`WKdmkAB!=LcV9dR5_AV`=5BUf>~7KBmn|QC4Me!f_Ej!vo)hZbqIGC)|&L7Oz(r zNQ_gWB}p>9-dHfa33)Tx&6o@eh_LAsMYA)BoRg_u+U9tWN>=7_#7bkj;qY$Z`pb1Z zZ9Fg)1m!pvA-8MxfwPn0@t>cg#WfAdB7Eyeh~q7uR-O!8bPRS59#A_spIUuR9S|J* z`w5)jz%wfp7JRnbXWdPBDd{VI)K-8&k7(nxHQy4)Opj2mO5GLH}IH?x<uDf+$k;2|;fE@~#C!Q1qW~KvX3tASxuxEB0G8o6x+sFd`5R_Mh+grww({ zfL#COU5JJ#Q|)R0aF>uM;*^dkzlbQ`Z>=>A?WcaH1rgWEaa#Y6i>?Y478J0t78SL! z60s2!wh<5&{Yz1It##hZbHtzu2- zxIvl(AWhTsGS$2}wrMm{jo1Na4(9p3>#CIU9Db-Oxk3{1Ge$CHQYqK6^U5W({job} zBXfHnHmRl692Y)ApV47Qeyc@S!L6eyUv33<$&SaKOYv1vR~c}WG~5%CN7>$?PqI7+ zeA1i+iLiU?=nK*VYgYs_+@6(Dz3t}0Z8yU#p+_d&C1X zMxP`= \'2015-11-18\'', event, event_data, None, event_tag, True) + 'timestamp >= \'2015-11-18\'', event, event_data, None, None, + event_tag, True) self._CheckIfExpressionMatches( - 'timestamp < \'2015-11-19\'', event, event_data, None, event_tag, True) + 'timestamp < \'2015-11-19\'', event, event_data, None, None, + event_tag, True) expression = ( 'timestamp < \'2015-11-18T01:15:44.341\' and ' 'timestamp > \'2015-11-18 01:15:42\'') self._CheckIfExpressionMatches( - expression, event, event_data, None, event_tag, True) + expression, event, event_data, None, None, event_tag, True) self._CheckIfExpressionMatches( - 'timestamp > \'2015-11-19\'', event, event_data, None, event_tag, False) + 'timestamp > \'2015-11-19\'', event, event_data, None, None, + event_tag, False) # Perform few attribute tests. self._CheckIfExpressionMatches( - 'filename not contains \'sometext\'', event, event_data, None, + 'filename not contains \'sometext\'', event, event_data, None, None, event_tag, True) expression = ( @@ -422,16 +427,16 @@ def testParseWithEvents(self): 'AND timestamp < \'2015-11-25 12:56:21\'') self._CheckIfExpressionMatches( - expression, event, event_data, None, event_tag, True) + expression, event, event_data, None, None, event_tag, True) self._CheckIfExpressionMatches( - 'tag contains \'browser_search\'', event, event_data, None, event_tag, - True) + 'tag contains \'browser_search\'', event, event_data, None, None, + event_tag, True) # Test multiple attributes. self._CheckIfExpressionMatches( 'text iregexp \'bad, bad thing [a-zA-Z\\\\s.]+ evil\'', event, - event_data, None, event_tag, True) + event_data, None, None, event_tag, True) if __name__ == "__main__": diff --git a/tests/filters/filters.py b/tests/filters/filters.py index 22ad1d337c..c77c0ff401 100644 --- a/tests/filters/filters.py +++ b/tests/filters/filters.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 + # -*- coding: utf-8 -*- """Tests for the event filter expression parser filter classes.""" @@ -15,13 +15,15 @@ class FalseFilter(filters.Operator): """A filter which always evaluates to False for testing.""" - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -33,13 +35,15 @@ def Matches(self, event, event_data, event_data_stream, event_tag): class TrueFilter(filters.Operator): """A filter which always evaluates to True for testing.""" - def Matches(self, event, event_data, event_data_stream, event_tag): + def Matches( + self, event, event_data, event_data_stream, event_values, event_tag): """Determines if the event, data and tag match the filter. Args: event (EventObject): event to compare against the filter. event_data (EventData): event data to compare against the filter. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. event_tag (EventTag): event tag to compare against the filter. Returns: @@ -98,13 +102,13 @@ def testMatches(self): filter_object = filters.AndFilter(arguments=[ true_filter_object, true_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertTrue(result) filter_object = filters.AndFilter(arguments=[ false_filter_object, true_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertFalse(result) @@ -128,13 +132,13 @@ def testMatches(self): filter_object = filters.OrFilter(arguments=[ false_filter_object, true_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertTrue(result) filter_object = filters.OrFilter(arguments=[ false_filter_object, false_filter_object]) - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertFalse(result) @@ -154,7 +158,7 @@ def testMatches(self): filter_object = filters.IdentityFilter() - result = filter_object.Matches(event, event_data, None, None) + result = filter_object.Matches(event, event_data, None, None, None) self.assertTrue(result) @@ -194,16 +198,16 @@ def testGetValue(self): filter_object = filters.GenericBinaryOperator(arguments=['test_value', 1]) test_value = filter_object._GetValue( - 'test_value', event, event_data, None, event_tag) + 'test_value', event, event_data, None, None, event_tag) self.assertEqual(test_value, 1) test_value = filter_object._GetValue( - 'timestamp', event, event_data, None, event_tag) + 'timestamp', event, event_data, None, None, event_tag) self.assertIsNotNone(test_value) self.assertEqual(test_value.timestamp, 5134324321) test_value = filter_object._GetValue( - 'tag', event, event_data, None, event_tag) + 'tag', event, event_data, None, None, event_tag) self.assertEqual(test_value, ['browser_search']) # TODO: add tests for FlipBool function diff --git a/tests/multi_process/analysis_process.py b/tests/multi_process/analysis_process.py index b8a7897166..ddcb327bda 100644 --- a/tests/multi_process/analysis_process.py +++ b/tests/multi_process/analysis_process.py @@ -21,30 +21,35 @@ class TestAnalysisPlugin(analysis_interface.AnalysisPlugin): NAME = 'test_plugin' - # pylint: disable=arguments-renamed - # pylint: disable=unused-argument - def CompileReport(self, mediator): + # pylint: disable=redundant-returns-doc,unused-argument + + def CompileReport(self, analysis_mediator): """Compiles a report of the analysis. - After the plugin has received every copy of an event to - analyze this function will be called so that the report - can be assembled. + After the plugin has received every copy of an event to analyze this + function will be called so that the report can be assembled. Args: - mediator (AnalysisMediator): mediates interactions between - analysis plugins and other components, such as storage and dfvfs. + analysis_mediator (AnalysisMediator): mediates interactions between + analysis plugins and other components, such as storage and dfVFS. + + Returns: + AnalysisReport: report. """ - return + return None - def ExamineEvent(self, mediator, event, event_data, event_data_stream): + def ExamineEvent( + self, analysis_mediator, event, event_data, event_data_stream, + event_values): """Analyzes an event. Args: - mediator (AnalysisMediator): mediates interactions between analysis - plugins and other components, such as storage and dfvfs. + analysis_mediator (AnalysisMediator): mediates interactions between + analysis plugins and other components, such as storage and dfVFS. event (EventObject): event. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. + event_values (AttributeContainer): event values attribute container. """ return diff --git a/tests/multi_process/output_engine.py b/tests/multi_process/output_engine.py index 0977a5a35f..77ae8b0a49 100644 --- a/tests/multi_process/output_engine.py +++ b/tests/multi_process/output_engine.py @@ -339,7 +339,7 @@ def testExportEvents(self): 'Log File,' '[---] last message repeated 5 times ---,' 'text/syslog_traditional,' - 'OS:/tmp/test/test_data/syslog,' + 'OS:/tmp/test/test_data/syslog/syslog,' 'repeated') self.assertEqual(lines[14], expected_line) diff --git a/tests/parsers/custom_destinations.py b/tests/parsers/custom_destinations.py index 868bcf7152..df6ace5b24 100644 --- a/tests/parsers/custom_destinations.py +++ b/tests/parsers/custom_destinations.py @@ -19,6 +19,10 @@ def testParse(self): ['custom_destinations', '5afe4de1b92fc382.customDestinations-ms'], parser) + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 9) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 45) @@ -38,11 +42,11 @@ def testParse(self): '{DE3895CB-077B-4C38-B6E3-F3DE1E0D84FC} %systemroot%\\\\' 'system32\\\\control.exe /name Microsoft.Display'), 'creation_time': '2009-07-13T23:55:56.2481035+00:00', - 'data_type': 'windows:lnk:link', 'description': '@%systemroot%\\\\system32\\\\oobefldr.dll,-1262', 'drive_serial_number': 0x24ba718b, 'drive_type': 3, - 'env_var_location': '%SystemRoot%\\\\system32\\\\GettingStarted.exe', + 'environment_variables_location': ( + '%SystemRoot%\\\\system32\\\\GettingStarted.exe'), 'file_attribute_flags': 0x00000020, 'file_size': 11776, 'icon_location': '%systemroot%\\\\system32\\\\display.dll', @@ -51,11 +55,18 @@ def testParse(self): 'local_path': 'C:\\\\Windows\\\\System32\\\\GettingStarted.exe', 'modification_time': '2009-07-14T01:39:11.3880000+00:00'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 8) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 43) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test distributed link tracking event data. - expected_event_values = { + expected_event_data = { 'creation_time': '2010-11-10T19:08:32.6562596+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '00:0c:29:03:1e:1e', @@ -63,10 +74,10 @@ def testParse(self): 'uuid': 'e9215b24-ecfd-11df-a81c-000c29031e1e'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 4) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test shell item event data. - expected_event_values = { + expected_event_data = { 'access_time': '2010-11-10T07:41:04+00:00', 'creation_time': '2009-07-14T03:20:12+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -78,7 +89,7 @@ def testParse(self): 'shell_item_path': ' C:\\\\Windows\\\\System32'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 41) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testParseWithEmpty(self): """Tests the Parse function with an empty jump list.""" @@ -87,6 +98,10 @@ def testParseWithEmpty(self): ['custom_destinations', 'c98dce577f884ef8.customDestinations-ms'], parser) + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 0) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 0) @@ -106,6 +121,10 @@ def testParseWithComplex(self): ['custom_destinations', '368d807282ccde9d.customDestinations-ms'], parser) + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 3) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 9) @@ -118,7 +137,7 @@ def testParseWithComplex(self): 'recovery_warning') self.assertEqual(number_of_warnings, 0) - expected_event_values = { + expected_event_data = { 'access_time': '2024-01-16T06:12:42+00:00', 'creation_time': '2023-07-12T18:11:20+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -130,17 +149,16 @@ def testParseWithComplex(self): 'shell_item_path': ' C:\\\\test'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) expected_event_values = { 'access_time': '2024-01-16T06:12:41.2400523+00:00', 'command_line_arguments': 'My Arguments', 'creation_time': '2023-07-12T18:11:18.2749654+00:00', - 'data_type': 'windows:lnk:link', 'description': None, 'drive_serial_number': 0x2ca3d1ae, 'drive_type': 3, - 'env_var_location': None, + 'environment_variables_location': None, 'file_attribute_flags': 0x00000010, 'file_size': 4096, 'icon_location': 'My Icon', @@ -148,10 +166,17 @@ def testParseWithComplex(self): 'local_path': 'C:\\\\test', 'modification_time': '2023-07-14T04:04:00.3349887+00:00'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) - expected_event_values = { + expected_event_data = { 'creation_time': '2023-07-12T18:06:36.6282931+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '52:54:00:ee:b6:05', @@ -159,7 +184,7 @@ def testParseWithComplex(self): 'uuid': 'd78dbcb3-20de-11ee-a2f8-525400eeb605'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 2) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) if __name__ == '__main__': diff --git a/tests/parsers/olecf_plugins/automatic_destinations.py b/tests/parsers/olecf_plugins/automatic_destinations.py index d00b99048b..7b7f4b2970 100644 --- a/tests/parsers/olecf_plugins/automatic_destinations.py +++ b/tests/parsers/olecf_plugins/automatic_destinations.py @@ -24,6 +24,10 @@ def testProcessVersion1(self): # windows:lnk:link 33 # windows:distributed_link_tracking:creation: 44 + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 11) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 55) @@ -37,7 +41,7 @@ def testProcessVersion1(self): self.assertEqual(number_of_warnings, 0) # Check a AutomaticDestinationsDestListEntryEvent. - expected_event_values = { + expected_event_data = { 'birth_droid_file_identifier': '{63eea867-7b85-11e1-8950-005056a50b40}', 'birth_droid_volume_identifier': ( '{cf6619c2-66a8-44a6-8849-1582fcd3a338}'), @@ -52,13 +56,12 @@ def testProcessVersion1(self): 'pin_status': -1} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 4) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Check a WinLnkLinkEvent. expected_event_values = { 'access_time': '2010-11-10T07:51:23.1085000+00:00', 'creation_time': '2010-11-10T07:51:16.7491250+00:00', - 'data_type': 'windows:lnk:link', 'drive_serial_number': 0x24ba718b, 'drive_type': 3, 'file_attribute_flags': 0x00002020, @@ -69,11 +72,18 @@ def testProcessVersion1(self): 'Windows\\\\Libraries\\\\Documents.library-ms'), 'modification_time': '2010-11-10T07:51:23.1085000+00:00'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Check a WindowsDistributedLinkTrackingCreationEvent. - expected_event_values = { + expected_event_data = { 'creation_time': '2012-03-31T23:01:03.5277415+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '00:50:56:a5:0b:40', @@ -81,7 +91,7 @@ def testProcessVersion1(self): 'uuid': '63eea867-7b85-11e1-8950-005056a50b40'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 3) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testProcessVersion3(self): """Tests the Process function on version 3 .automaticDestinations-ms.""" @@ -94,6 +104,10 @@ def testProcessVersion3(self): # olecf:dest_list:entry: 2 # windows:lnk:link 2 + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 2) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 4) @@ -107,7 +121,7 @@ def testProcessVersion3(self): self.assertEqual(number_of_warnings, 0) # Check a AutomaticDestinationsDestListEntryEvent. - expected_event_values = { + expected_event_data = { 'birth_droid_file_identifier': '{00000000-0000-0000-0000-000000000000}', 'birth_droid_volume_identifier': ( '{00000000-0000-0000-0000-000000000000}'), @@ -122,13 +136,12 @@ def testProcessVersion3(self): 'pin_status': -1} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Check a WinLnkLinkEvent. expected_event_values = { 'access_time': None, 'creation_time': None, - 'data_type': 'windows:lnk:link', 'drive_serial_number': None, 'drive_type': None, 'file_attribute_flags': 0, @@ -137,8 +150,15 @@ def testProcessVersion3(self): 'local_path': None, 'modification_time': None} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) if __name__ == '__main__': diff --git a/tests/parsers/test_lib.py b/tests/parsers/test_lib.py index 1e2afe8963..6eb1109adf 100644 --- a/tests/parsers/test_lib.py +++ b/tests/parsers/test_lib.py @@ -177,38 +177,29 @@ def CheckEventData(self, event_data, expected_event_values): 'event value: "{0:s}" does not match expected value').format(name) self.assertEqual(value, expected_value, error_message) - def CheckEventValues(self, storage_writer, event, expected_event_values): - """Asserts that an event and its event data matches the expected values. + def CheckEventValues(self, event_values, expected_event_values): + """Asserts that event values matches the expected values. Args: - storage_writer (StorageWriter): storage writer. - event (EventObject): event to check. + event_values (acstore.AttributeContainer): event values attribute + container to check. expected_event_values (dict[str, list[str]): expected values of the event - and event data attribute values per name. + data attribute values per name. """ - event_data = None for name, expected_value in expected_event_values.items(): - if name == 'timestamp' and isinstance(expected_value, str): - posix_time = dfdatetime_posix_time.PosixTimeInMicroseconds( - timestamp=event.timestamp) - value = posix_time.CopyToDateTimeString() - - elif name in ('date_time', 'timestamp', 'timestamp_desc'): - value = getattr(event, name, None) - - else: - if not event_data: - event_data = self._GetEventDataOfEvent(storage_writer, event) - - value = getattr(event_data, name, None) - - if name == 'date_time' and value and isinstance(expected_value, str): + value = getattr(event_values, name, None) + if isinstance(value, dfdatetime_interface.DateTimeValues): date_time_value = value.CopyToDateTimeStringISO8601() if not date_time_value: # Call CopyToDateTimeString to support semantic date time values. date_time_value = value.CopyToDateTimeString() value = date_time_value + elif isinstance(value, list) and value and isinstance( + value[0], dfdatetime_interface.DateTimeValues): + value = [date_time_value.CopyToDateTimeStringISO8601() + for date_time_value in value] + error_message = ( 'event value: "{0:s}" does not match expected value').format(name) self.assertEqual(value, expected_value, error_message) diff --git a/tests/parsers/winlnk.py b/tests/parsers/winlnk.py index d2d4d15f9d..0b8cae65c8 100644 --- a/tests/parsers/winlnk.py +++ b/tests/parsers/winlnk.py @@ -15,7 +15,7 @@ class WinLnkParserTest(test_lib.ParserTestCase): def testParse(self): """Tests the Parse function.""" parser = winlnk.WinLnkParser() - storage_writer = self._ParseFile(['example.lnk'], parser) + storage_writer = self._ParseFile(['winlnk', 'example.lnk'], parser) # Link information: # Creation time : Jul 13, 2009 23:29:02.849131000 UTC @@ -27,6 +27,10 @@ def testParse(self): # Icon location : %windir%\system32\migwiz\migwiz.exe # Environment variables location : %windir%\system32\migwiz\migwiz.exe + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 1) + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') self.assertEqual(number_of_event_data, 2) @@ -42,10 +46,10 @@ def testParse(self): # Test shortcut event data. expected_event_values = { 'access_time': '2009-07-13T23:29:02.8491310+00:00', - 'data_type': 'windows:lnk:link', 'description': '@%windir%\\\\system32\\\\migwiz\\\\wet.dll,-590', 'creation_time': '2009-07-13T23:29:02.8491310+00:00', - 'env_var_location': '%windir%\\\\system32\\\\migwiz\\\\migwiz.exe', + 'environment_variables_location': ( + '%windir%\\\\system32\\\\migwiz\\\\migwiz.exe'), 'file_attribute_flags': 0x00000020, 'file_size': 544768, 'icon_location': '%windir%\\\\system32\\\\migwiz\\\\migwiz.exe', @@ -53,23 +57,34 @@ def testParse(self): 'relative_path': '.\\\\migwiz\\\\migwiz.exe', 'working_directory': '%windir%\\\\system32\\\\migwiz'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test distributed link tracking event data. - expected_event_values = { + expected_event_data = { 'creation_time': '2009-07-14T05:45:20.5000123+00:00', 'data_type': 'windows:distributed_link_tracking:creation', 'mac_address': '00:1d:09:fa:5a:1c', 'uuid': '846ee3bb-7039-11de-9d20-001d09fa5a1c'} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testParseLinkTargetIdentifier(self): """Tests the Parse function on an LNK with a link target identifier.""" parser = winlnk.WinLnkParser() - storage_writer = self._ParseFile(['NeroInfoTool.lnk'], parser) + storage_writer = self._ParseFile(['winlnk', 'NeroInfoTool.lnk'], parser) + + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 1) number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') @@ -86,7 +101,6 @@ def testParseLinkTargetIdentifier(self): # Test shortcut event data. expected_event_values = { 'creation_time': '2009-06-05T20:13:20.0000000+00:00', - 'data_type': 'windows:lnk:link', 'description': ( 'Nero InfoTool provides you with information about the most ' 'important features of installed drives, inserted discs, installed ' @@ -110,11 +124,18 @@ def testParseLinkTargetIdentifier(self): 'working_directory': ( 'C:\\\\Program Files (x86)\\\\Nero\\\\Nero 9\\\\Nero InfoTool')} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 5) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test shell item event data. - expected_event_values = { + expected_event_data = { 'access_time': '2010-01-29T21:30:12+00:00', 'creation_time': '2009-06-05T20:13:20+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -128,12 +149,17 @@ def testParseLinkTargetIdentifier(self): 'Nero InfoTool\\\\InfoTool.exe')} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 4) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) def testParseUnpairedSurrogate(self): """Tests the Parse function on an LNK with an unpaired surrogate.""" parser = winlnk.WinLnkParser() - storage_writer = self._ParseFile(['unpaired_surrogate.lnk'], parser) + storage_writer = self._ParseFile( + ['winlnk', 'unpaired_surrogate.lnk'], parser) + + number_of_containers = storage_writer.GetNumberOfAttributeContainers( + 'windows_shortcut') + self.assertEqual(number_of_containers, 1) number_of_event_data = storage_writer.GetNumberOfAttributeContainers( 'event_data') @@ -150,7 +176,6 @@ def testParseUnpairedSurrogate(self): # Test shortcut event data. expected_event_values = { 'creation_time': '2023-07-10T04:01:20.7971076+00:00', - 'data_type': 'windows:lnk:link', 'description': None, 'drive_serial_number': 0x2ca3d1ae, 'drive_type': 3, @@ -160,11 +185,18 @@ def testParseUnpairedSurrogate(self): 'relative_path': '.\\\\unicode_U+0000d800_\\U0000d800.exe', 'working_directory': 'C:\\\\test'} + event_values = storage_writer.GetAttributeContainerByIndex( + 'windows_shortcut', 0) + self.CheckEventValues(event_values, expected_event_values) + + expected_event_data = { + 'data_type': 'windows:lnk:link'} + event_data = storage_writer.GetAttributeContainerByIndex('event_data', 2) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) # Test shell item event data. - expected_event_values = { + expected_event_data = { 'access_time': '2023-07-10T04:01:28+00:00', 'creation_time': '2023-07-10T04:01:22+00:00', 'data_type': 'windows:shell_item:file_entry', @@ -177,7 +209,7 @@ def testParseUnpairedSurrogate(self): ' C:\\\\test\\\\unicode_U+0000d800_\\U0000d800.exe')} event_data = storage_writer.GetAttributeContainerByIndex('event_data', 1) - self.CheckEventData(event_data, expected_event_values) + self.CheckEventData(event_data, expected_event_data) if __name__ == '__main__': diff --git a/tests/parsers/winreg_plugins/windows_version.py b/tests/parsers/winreg_plugins/windows_version.py index a870e5e8dc..22b51601f4 100644 --- a/tests/parsers/winreg_plugins/windows_version.py +++ b/tests/parsers/winreg_plugins/windows_version.py @@ -24,6 +24,7 @@ def testGetAttributeNames(self): expected_attribute_names = [ '_event_data_stream_identifier', '_event_values_hash', + '_event_values_identifier', '_parser_chain', 'build_number', 'data_type',