File: linux.yaml

package info (click to toggle)
plaso 20201007-2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 519,924 kB
  • sloc: python: 79,002; sh: 629; xml: 72; sql: 14; vhdl: 11; makefile: 10
file content (48 lines) | stat: -rw-r--r-- 917 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# Linux related event formatters.

type: 'conditional'
data_type: 'linux:utmp:event'
enumeration_helpers:
- input_attribute: 'type'
  output_attribute: 'status'
  default_value: 'UNKNOWN'
  values:
    0: 'EMPTY'
    1: 'RUN_LVL'
    2: 'BOOT_TIME'
    3: 'NEW_TIME'
    4: 'OLD_TIME'
    5: 'INIT_PROCESS'
    6: 'LOGIN_PROCESS'
    7: 'USER_PROCESS'
    8: 'DEAD_PROCESS'
    9: 'ACCOUNTING'
message:
- 'User: {username}'
- 'Hostname: {hostname}'
- 'Terminal: {terminal}'
- 'PID: {pid}'
- 'Terminal identifier: {terminal_identifier}'
- 'Status: {status}'
- 'IP Address: {ip_address}'
- 'Exit status: {exit_status}'
short_message:
- 'User: {username}'
- 'PID: {pid}'
- 'Status: {status}'
---
type: 'conditional'
data_type: 'selinux:line'
message:
- '['
- 'audit_type: {audit_type}'
- ', pid: {pid}'
- ']'
- ' {body}'
separator: ''
short_message:
- '['
- 'audit_type: {audit_type}'
- ', pid: {pid}'
- ']'
- ' {body}'