Documentation
¶
Overview ¶
Package awslogs defines parsers and log types for AWS logs.
Index ¶
- Constants
- func LogTypes() logtypes.Group
- type ALB
- type ALBParser
- type AWSExtractor
- type AWSPantherLog
- func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
- func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
- func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
- type AuroraMySQLAudit
- type AuroraMySQLAuditParser
- type CloudTrail
- type CloudTrailDigest
- type CloudTrailDigestLogFile
- type CloudTrailInsight
- type CloudTrailInsightParser
- type CloudTrailInsightRecords
- type CloudTrailResources
- type CloudTrailSessionContext
- type CloudTrailSessionContextAttributes
- type CloudTrailSessionContextSessionIssuer
- type CloudTrailSessionContextWebIDFederationData
- type CloudTrailUserIdentity
- type CloudWatchEvent
- type CloudWatchEventParser
- type DNSAnswer
- type DNSSrcID
- type ExcludedRule
- type GuardDuty
- type GuardDutyParser
- type GuardDutyService
- type HTTPHeader
- type HTTPRequest
- type InsightAverage
- type InsightContext
- type InsightDetails
- type InsightStatistics
- type RateBasedRuleListDetail
- type RuleDetail
- type RuleGroupListDetail
- type RuleMatchDetail
- type S3ServerAccess
- type S3ServerAccessParser
- type VPCDns
- type VPCFlow
- type VPCFlowParser
- type WAFWebACL
Constants ¶
View Source
const ( TypeALB = "AWS.ALB" TypeAuroraMySQLAudit = `AWS.AuroraMySQLAudit` TypeCloudTrail = `AWS.CloudTrail` TypeCloudTrailDigest = "AWS.CloudTrailDigest" TypeCloudTrailInsight = "AWS.CloudTrailInsight" TypeCloudWatchEvents = "AWS.CloudWatchEvents" TypeGuardDuty = "AWS.GuardDuty" TypeS3ServerAccess = "AWS.S3ServerAccess" TypeVPCDns = "AWS.VPCDns" TypeVPCFlow = "AWS.VPCFlow" TypeWAFWebACL = "AWS.WAFWebACL" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ALB ¶
type ALB struct {
Type *string `json:"type,omitempty" validate:"oneof=http https h2 ws wss" description:"The type of request or connection."`
Timestamp *timestamp.RFC3339 `` /* 198-byte string literal not displayed */
ELB *string `` /* 168-byte string literal not displayed */
ClientIP *string `json:"clientIp,omitempty" description:"The IP address of the requesting client."`
ClientPort *int `json:"clientPort,omitempty" description:"The port of the requesting client."`
TargetIP *string `json:"targetIp,omitempty" description:"The IP address of the target that processed this request."`
TargetPort *int `json:"targetPort,omitempty" description:"The port of the target that processed this request."`
RequestProcessingTime *float64 `` /* 513-byte string literal not displayed */
TargetProcessingTime *float64 `` /* 536-byte string literal not displayed */
ResponseProcessingTime *float64 `` /* 579-byte string literal not displayed */
ELBStatusCode *int `` /* 127-byte string literal not displayed */
TargetStatusCode *int `` /* 202-byte string literal not displayed */
ReceivedBytes *int `` /* 257-byte string literal not displayed */
SentBytes *int `` /* 232-byte string literal not displayed */
RequestHTTPMethod *string `json:"requestHttpMethod,omitempty" description:"The HTTP method parsed from the request."`
RequestURL *string `json:"requestUrl,omitempty" description:"The HTTP URL parsed from the request."`
RequestHTTPVersion *string `json:"requestHttpVersion,omitempty" description:"The HTTP version parsed from the request."`
UserAgent *string `` /* 243-byte string literal not displayed */
SSLCipher *string `` /* 141-byte string literal not displayed */
SSLProtocol *string `` /* 145-byte string literal not displayed */
TargetGroupARN *string `json:"targetGroupArn,omitempty" description:"The Amazon Resource Name (ARN) of the target group."`
TraceID *string `json:"traceId,omitempty" description:"The contents of the X-Amzn-Trace-Id header."`
DomainName *string `` /* 280-byte string literal not displayed */
ChosenCertARN *string `` /* 243-byte string literal not displayed */
MatchedRulePriority *int `` /* 338-byte string literal not displayed */
RequestCreationTime *timestamp.RFC3339 `json:"requestCreationTime,omitempty" description:"The time when the load balancer received the request from the client."`
ActionsExecuted []string `` /* 270-byte string literal not displayed */
RedirectURL *string `` /* 181-byte string literal not displayed */
ErrorReason *string `` /* 278-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type ALBParser ¶
type ALBParser struct {
CSVReader *csvstream.StreamingCSVReader
}
ALBParser parses AWS Application Load Balancer logs
type AWSExtractor ¶ added in v0.2.0
type AWSExtractor struct {
// contains filtered or unexported fields
}
extracts useful AWS features that can be detected generically (w/context)
func NewAWSExtractor ¶ added in v0.2.0
func NewAWSExtractor(pl *AWSPantherLog) *AWSExtractor
func (*AWSExtractor) Extract ¶ added in v0.2.0
func (e *AWSExtractor) Extract(key, value gjson.Result)
type AWSPantherLog ¶ added in v0.2.0
type AWSPantherLog struct {
parsers.PantherLog
PantherAnyAWSAccountIds parsers.PantherAnyString `` /* 131-byte string literal not displayed */
PantherAnyAWSInstanceIds parsers.PantherAnyString `` /* 133-byte string literal not displayed */
PantherAnyAWSARNs parsers.PantherAnyString `json:"p_any_aws_arns,omitempty" description:"Panther added field with collection of aws arns associated with the row"`
PantherAnyAWSTags parsers.PantherAnyString `json:"p_any_aws_tags,omitempty" description:"Panther added field with collection of aws tags associated with the row"`
}
nolint(lll)
func (*AWSPantherLog) AppendAnyAWSARNPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSARNs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSARNs(values ...string)
func (*AWSPantherLog) AppendAnyAWSAccountIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSAccountIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSAccountIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSInstanceIdPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIdPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSInstanceIds ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSInstanceIds(values ...string)
func (*AWSPantherLog) AppendAnyAWSTagPtrs ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTagPtrs(values ...*string)
func (*AWSPantherLog) AppendAnyAWSTags ¶ added in v0.2.0
func (pl *AWSPantherLog) AppendAnyAWSTags(values ...string)
NOTE: value should be of the form <key>:<value>
type AuroraMySQLAudit ¶
type AuroraMySQLAudit struct {
Timestamp *timestamp.RFC3339 `json:"timestamp,omitempty" description:"The timestamp for the logged event with microsecond precision (UTC)."`
ServerHost *string `json:"serverHost,omitempty" description:"The name of the instance that the event is logged for."`
Username *string `json:"username,omitempty" description:"The connected user name of the user."`
Host *string `json:"host,omitempty" description:"The host that the user connected from."`
ConnectionID *int `json:"connectionId,omitempty" description:"The connection ID number for the logged operation."`
QueryID *int `` /* 182-byte string literal not displayed */
Operation *string `` /* 216-byte string literal not displayed */
Database *string `json:"database,omitempty" description:"The active database, as set by the USE command."`
Object *string `` /* 143-byte string literal not displayed */
RetCode *int `json:"retCode,omitempty" description:"The return code of the logged operation."`
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type AuroraMySQLAuditParser ¶
type AuroraMySQLAuditParser struct {
CSVReader *csvstream.StreamingCSVReader
}
AuroraMySQLAuditParser parses AWS Aurora MySQL Audit logs
func (*AuroraMySQLAuditParser) LogType ¶
func (p *AuroraMySQLAuditParser) LogType() string
LogType returns the log type supported by this parser
func (*AuroraMySQLAuditParser) New ¶ added in v0.3.0
func (p *AuroraMySQLAuditParser) New() parsers.LogParser
func (*AuroraMySQLAuditParser) Parse ¶
func (p *AuroraMySQLAuditParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type CloudTrail ¶
type CloudTrail struct {
AdditionalEventData pantherlog.RawMessage `json:"additionalEventData" description:"Additional data about the event that was not part of the request or response."`
APIVersion pantherlog.String `json:"apiVersion" description:"Identifies the API version associated with the AwsApiCall eventType value."`
AWSRegion pantherlog.String `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
ErrorCode pantherlog.String `json:"errorCode" description:"The AWS service error if the request returns an error."`
ErrorMessage pantherlog.String `` /* 236-byte string literal not displayed */
EventID pantherlog.String `` /* 259-byte string literal not displayed */
EventName pantherlog.String `` /* 129-byte string literal not displayed */
EventSource pantherlog.String `` /* 186-byte string literal not displayed */
EventTime pantherlog.Time `` /* 162-byte string literal not displayed */
EventType pantherlog.String `` /* 203-byte string literal not displayed */
EventVersion pantherlog.String `json:"eventVersion" validate:"required" description:"The version of the log event format."`
ManagementEvent pantherlog.Bool `` /* 297-byte string literal not displayed */
ReadOnly pantherlog.Bool `json:"readOnly" description:"Identifies whether this operation is a read-only operation."`
RecipientAccountID pantherlog.String `` /* 293-byte string literal not displayed */
RequestID pantherlog.String `json:"requestID" description:"The value that identifies the request. The service being called generates this value."`
RequestParameters pantherlog.RawMessage `` /* 195-byte string literal not displayed */
Resources []CloudTrailResources `json:"resources" description:"A list of resources accessed in the event."`
ResponseElements pantherlog.RawMessage `` /* 331-byte string literal not displayed */
ServiceEventDetails pantherlog.RawMessage `json:"serviceEventDetails" description:"Identifies the service event, including what triggered the event and the result."`
SourceIPAddress pantherlog.String `` /* 318-byte string literal not displayed */
UserAgent pantherlog.String `` /* 157-byte string literal not displayed */
UserIdentity *CloudTrailUserIdentity `json:"userIdentity" validate:"required" description:"Information about the user that made a request."`
VPCEndpointID pantherlog.String `` /* 144-byte string literal not displayed */
}
CloudTrail is a record from the Records[*] JSON of an AWS CloudTrail API log. nolint:lll
func (*CloudTrail) WriteValuesTo ¶ added in v1.13.0
func (event *CloudTrail) WriteValuesTo(w pantherlog.ValueWriter)
type CloudTrailDigest ¶ added in v1.2.0
type CloudTrailDigest struct {
AWSAccountID pantherlog.String `` /* 143-byte string literal not displayed */
DigestStartTime pantherlog.Time `` /* 215-byte string literal not displayed */
DigestEndTime pantherlog.Time `` /* 229-byte string literal not displayed */
DigestS3Bucket pantherlog.String `` /* 141-byte string literal not displayed */
DigestS3Object pantherlog.String `` /* 149-byte string literal not displayed */
NewestEventTime pantherlog.Time `` /* 147-byte string literal not displayed */
OldestEventTime pantherlog.Time `` /* 143-byte string literal not displayed */
PreviousDigestS3Bucket pantherlog.String `json:"previousDigestS3Bucket" description:"The Amazon S3 bucket to which the previous digest file was delivered."`
PreviousDigestS3Object pantherlog.String `` /* 138-byte string literal not displayed */
PreviousDigestHashValue pantherlog.String `` /* 154-byte string literal not displayed */
PreviousDigestHashAlgorithm pantherlog.String `` /* 127-byte string literal not displayed */
PreviousDigestSignature pantherlog.String `json:"previousDigestSignature" description:"The hexadecimal encoded signature of the previous digest file."`
DigestPublicKeyFingerprint pantherlog.String `` /* 181-byte string literal not displayed */
DigestSignatureAlgorithm pantherlog.String `json:"digestSignatureAlgorithm" validate:"required" description:"The algorithm used to sign the digest file."`
LogFiles []CloudTrailDigestLogFile `json:"logFiles" validate:"required,min=0" description:"Log files delivered in this digest"`
}
nolint:lll
type CloudTrailDigestLogFile ¶ added in v1.2.0
type CloudTrailDigestLogFile struct {
S3Bucket pantherlog.String `json:"s3Bucket" validate:"required" description:"The name of the Amazon S3 bucket for the log file."`
S3Object pantherlog.String `json:"s3Object" validate:"required" description:"The Amazon S3 object key of the current log file."`
HashValue pantherlog.String `` /* 140-byte string literal not displayed */
HashAlgorithm pantherlog.String `json:"hashAlgorithm" validate:"required" description:"The hash algorithm used to hash the log file."`
NewestEventTime pantherlog.Time `` /* 145-byte string literal not displayed */
OldestEventTime pantherlog.Time `` /* 140-byte string literal not displayed */
}
nolint:lll
type CloudTrailInsight ¶ added in v1.1.0
type CloudTrailInsight struct {
EventVersion pantherlog.String `json:"eventVersion" validate:"required" description:"The version of the log event format."`
EventTime pantherlog.Time `` /* 162-byte string literal not displayed */
AWSRegion pantherlog.String `json:"awsRegion" validate:"required" description:"The AWS region that the request was made to, such as us-east-2."`
EventID pantherlog.String `` /* 259-byte string literal not displayed */
EventType pantherlog.String `` /* 227-byte string literal not displayed */
RecipientAccountID pantherlog.String `` /* 293-byte string literal not displayed */
InsightDetails *InsightDetails `` /* 235-byte string literal not displayed */
EventCategory pantherlog.String `` /* 168-byte string literal not displayed */
}
Reference from https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html nolint:lll
type CloudTrailInsightParser ¶ added in v1.1.0
type CloudTrailInsightParser struct {
pantherlog.ResultBuilder
}
func (*CloudTrailInsightParser) ParseLog ¶ added in v1.15.0
func (p *CloudTrailInsightParser) ParseLog(log string) ([]*pantherlog.Result, error)
Parse returns the parsed events or nil if parsing failed
type CloudTrailInsightRecords ¶ added in v1.1.0
type CloudTrailInsightRecords struct {
Records []CloudTrailInsight `json:"Records" validate:"required,dive"`
}
nolint:lll
type CloudTrailResources ¶
type CloudTrailResources struct {
ARN pantherlog.String `json:"arn" panther:"aws_arn"`
AccountID pantherlog.String `json:"accountId" panther:"aws_account_id"`
Type pantherlog.String `json:"type"`
}
CloudTrailResources are the AWS resources used in the API call.
type CloudTrailSessionContext ¶
type CloudTrailSessionContext struct {
Attributes *CloudTrailSessionContextAttributes `json:"attributes"`
SessionIssuer *CloudTrailSessionContextSessionIssuer `json:"sessionIssuer"`
WebIDFederationData *CloudTrailSessionContextWebIDFederationData `json:"webIdFederationData"`
}
CloudTrailSessionContext provides information about a session created for temporary credentials.
type CloudTrailSessionContextAttributes ¶
type CloudTrailSessionContextAttributes struct {
MfaAuthenticated pantherlog.String `json:"mfaAuthenticated"`
CreationDate pantherlog.String `json:"creationDate"`
}
CloudTrailSessionContextAttributes contains the attributes of the Session context object
type CloudTrailSessionContextSessionIssuer ¶
type CloudTrailSessionContextSessionIssuer struct {
Type pantherlog.String `json:"type"`
PrincipalID pantherlog.String `json:"principalId"`
Arn pantherlog.String `json:"arn" panther:"aws_arn"`
AccountID pantherlog.String `json:"accountId" panther:"aws_account_id"`
Username pantherlog.String `json:"userName"`
}
CloudTrailSessionContextSessionIssuer contains information for the SessionContextSessionIssuer
type CloudTrailSessionContextWebIDFederationData ¶
type CloudTrailSessionContextWebIDFederationData struct {
FederatedProvider pantherlog.String `json:"federatedProvider"`
Attributes pantherlog.RawMessage `json:"attributes"`
}
CloudTrailSessionContextWebIDFederationData contains Web ID federation data
func (*CloudTrailSessionContextWebIDFederationData) WriteValuesTo ¶ added in v1.13.0
func (d *CloudTrailSessionContextWebIDFederationData) WriteValuesTo(w pantherlog.ValueWriter)
type CloudTrailUserIdentity ¶
type CloudTrailUserIdentity struct {
Type pantherlog.String `json:"type"`
PrincipalID pantherlog.String `json:"principalId"`
ARN pantherlog.String `json:"arn" panther:"aws_arn"`
AccountID pantherlog.String `json:"accountId" panther:"aws_account_id"`
AccessKeyID pantherlog.String `json:"accessKeyId"`
Username pantherlog.String `json:"userName"`
SessionContext *CloudTrailSessionContext `json:"sessionContext"`
InvokedBy pantherlog.String `json:"invokedBy"`
IdentityProvider pantherlog.String `json:"identityProvider"`
}
CloudTrailUserIdentity contains details about the type of IAM identity that made the request.
type CloudWatchEvent ¶ added in v1.6.0
type CloudWatchEvent struct {
ID *string `` /* 184-byte string literal not displayed */
Account *string `json:"account" validate:"required" description:"The 12-digit number identifying an AWS account."`
Source *string `` /* 315-byte string literal not displayed */
Resources []string `` /* 419-byte string literal not displayed */
Region *string `json:"region" validate:"required" description:"Identifies the AWS region where the event originated."`
DetailType *string `` /* 157-byte string literal not displayed */
Version *string `json:"version" validate:"required" description:"By default, this is set to 0 (zero) in all events."`
Time *timestamp.RFC3339 `` /* 294-byte string literal not displayed */
Detail *jsoniter.RawMessage `` /* 298-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type CloudWatchEventParser ¶ added in v1.6.0
type CloudWatchEventParser struct{}
CloudWatchEventParser parses AWS Cloudwatch Events
func (*CloudWatchEventParser) LogType ¶ added in v1.6.0
func (p *CloudWatchEventParser) LogType() string
LogType returns the log type supported by this parser
func (*CloudWatchEventParser) New ¶ added in v1.6.0
func (p *CloudWatchEventParser) New() parsers.LogParser
func (*CloudWatchEventParser) Parse ¶ added in v1.6.0
func (p *CloudWatchEventParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type DNSAnswer ¶ added in v1.15.0
type DNSAnswer struct {
Rdata pantherlog.String `` /* 238-byte string literal not displayed */
Type pantherlog.String `` /* 157-byte string literal not displayed */
Class pantherlog.String `json:"Class" validate:"required" description:"The class of the Resolver response to the query."`
}
nolint:lll
func (*DNSAnswer) WriteValuesTo ¶ added in v1.15.0
func (answer *DNSAnswer) WriteValuesTo(w pantherlog.ValueWriter)
type DNSSrcID ¶ added in v1.15.0
type DNSSrcID struct {
InstanceID pantherlog.String `json:"instance" panther:"aws_instance_id" description:"The ID of the instance that the query originated from."`
ResolverEndpoint pantherlog.String `json:"resolver-endpoint" description:"The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers."`
}
nolint:lll
type ExcludedRule ¶ added in v1.16.0
type ExcludedRule struct {
ExclusionType pantherlog.String `` /* 142-byte string literal not displayed */
RuleID pantherlog.String `json:"ruleId" description:"The ID of the rule within the rule group that is excluded."`
}
nolint:lll,maligned
type GuardDuty ¶
type GuardDuty struct {
SchemaVersion *string `json:"schemaVersion" validate:"required" description:"The schema format version of this record."`
AccountID *string `` /* 165-byte string literal not displayed */
Region *string `json:"region" validate:"required" description:"The AWS region in which the finding was generated."`
Partition *string `json:"partition" validate:"required" description:"The AWS partition in which the finding was generated."`
ID *string `json:"id,omitempty" validate:"required" description:"A unique identifier for the finding."`
Arn *string `json:"arn" validate:"required" description:"A unique identifier formatted as an ARN for the finding."`
Type *string `json:"type" validate:"required" description:"A concise yet readable description of the potential security issue."`
Resource *jsoniter.RawMessage `` /* 154-byte string literal not displayed */
Severity *float32 `` /* 128-byte string literal not displayed */
CreatedAt *timestamp.RFC3339 `json:"createdAt" validate:"required,min=0" description:"The initial creation time of the finding (UTC)."`
UpdatedAt *timestamp.RFC3339 `json:"updatedAt" validate:"required,min=0" description:"The last update time of the finding (UTC)."`
Title *string `json:"title" validate:"required" description:"A short description of the finding."`
Description *string `json:"description" validate:"required" description:"A long description of the finding."`
Service *GuardDutyService `json:"service" validate:"required" description:"Additional information about the affected service."`
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type GuardDutyParser ¶
type GuardDutyParser struct{}
VPCFlowParser parses AWS VPC Flow Parser logs
func (*GuardDutyParser) LogType ¶
func (p *GuardDutyParser) LogType() string
LogType returns the log type supported by this parser
func (*GuardDutyParser) New ¶ added in v0.3.0
func (p *GuardDutyParser) New() parsers.LogParser
func (*GuardDutyParser) Parse ¶
func (p *GuardDutyParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type GuardDutyService ¶
type GuardDutyService struct {
AdditionalInfo *jsoniter.RawMessage `json:"additionalInfo,omitempty"`
Action *jsoniter.RawMessage `json:"action,omitempty"`
ServiceName *string `json:"serviceName" validate:"required"`
DetectorID *string `json:"detectorId" validate:"required"`
ResourceRole *string `json:"resourceRole,omitempty"`
EventFirstSeen *timestamp.RFC3339 `json:"eventFirstSeen,omitempty"`
EventLastSeen *timestamp.RFC3339 `json:"eventLastSeen,omitempty"`
Archived *bool `json:"archived,omitempty"`
Count *int `json:"count,omitempty"`
}
type HTTPHeader ¶ added in v1.16.0
type HTTPHeader struct {
// TODO: Maybe we should apply some normalization here, e.g. always convert to lowercase?
Name pantherlog.String `json:"name" description:"The header name."`
Value pantherlog.String `json:"value" description:"The header value."`
}
nolint:lll,maligned
type HTTPRequest ¶ added in v1.16.0
type HTTPRequest struct {
Args pantherlog.String `json:"args" description:"The HTTP Request query string."`
ClientIP pantherlog.String `json:"clientIp" panther:"ip" description:"The IP address of the client sending the request."`
Country pantherlog.String `` /* 145-byte string literal not displayed */
Headers []HTTPHeader `json:"headers" description:"The list of headers."`
HTTPMethod pantherlog.String `json:"httpMethod" description:"The HTTP method in the request."`
HTTPVersion pantherlog.String `json:"httpVersion" description:"The HTTP version, e.g. HTTP/2.0."`
RequestID pantherlog.String `` /* 216-byte string literal not displayed */
URI pantherlog.String `json:"uri" description:"The URI of the request."`
}
nolint:lll,maligned
type InsightAverage ¶ added in v1.1.0
type InsightAverage struct {
Average pantherlog.Float64 `json:"average,omitempty" description:"Average value for the insight metric"`
}
nolint:lll
type InsightContext ¶ added in v1.1.0
type InsightContext struct {
Statistics *InsightStatistics `` /* 232-byte string literal not displayed */
}
nolint:lll
type InsightDetails ¶ added in v1.1.0
type InsightDetails struct {
State pantherlog.String `` /* 179-byte string literal not displayed */
EventSource pantherlog.String `json:"eventSource" validate:"required" description:"The AWS API for which unusual activity was detected."`
EventName pantherlog.String `json:"eventName" validate:"required" description:"The AWS API for which unusual activity was detected."`
InsightType pantherlog.String `json:"insightType" validate:"required" description:"The type of Insights event. Value is ApiCallRateInsight. "`
InsightContext *InsightContext `` /* 167-byte string literal not displayed */
}
nolint:lll
type InsightStatistics ¶ added in v1.1.0
type InsightStatistics struct {
Baseline *InsightAverage `` /* 132-byte string literal not displayed */
Insight *InsightAverage `` /* 127-byte string literal not displayed */
InsightDuration pantherlog.Float32 `` /* 219-byte string literal not displayed */
}
nolint:lll
type RateBasedRuleListDetail ¶ added in v1.16.0
type RateBasedRuleListDetail struct {
LimitKey pantherlog.String `` /* 180-byte string literal not displayed */
LimitValue pantherlog.String `` /* 194-byte string literal not displayed */
MaxRateAllowed pantherlog.Uint32 `` /* 349-byte string literal not displayed */
RateBasedRuleID pantherlog.String `` /* 201-byte string literal not displayed */
RateBasedRuleName pantherlog.String `json:"rateBasedRuleName" description:"The name of the rate-based rule that acted on the request."`
}
nolint:lll,maligned
type RuleDetail ¶ added in v1.16.0
type RuleDetail struct {
RuleID pantherlog.String `json:"ruleId" description:"The Rule ID."`
Action pantherlog.String `json:"action" description:"The configured rule action. For non-terminating rules the value is always COUNT."`
RuleMatchDetails []RuleMatchDetail `` /* 200-byte string literal not displayed */
}
nolint:lll,maligned
type RuleGroupListDetail ¶ added in v1.16.0
type RuleGroupListDetail struct {
ExcludedRules []ExcludedRule `` /* 138-byte string literal not displayed */
NonTerminatingMatchingRules []RuleDetail `` /* 190-byte string literal not displayed */
RuleGroupID pantherlog.String `` /* 159-byte string literal not displayed */
TerminatingRule *RuleDetail `` /* 205-byte string literal not displayed */
}
nolint:lll,maligned
type RuleMatchDetail ¶ added in v1.16.0
type RuleMatchDetail struct {
ConditionType pantherlog.String `json:"conditionType" description:"The vulnerability type, either SQL_INJECTION or XSS"`
Location pantherlog.String `json:"location" description:"The request parameter type that provided the match. Can be ALL_QUERY_ARGS, HEADER etc."`
MatchedData []string `json:"matchedData" description:"The list of strings that provides the match, e.g. [\"10\", \"AND\", \"1\"]"`
}
nolint:lll,maligned
type S3ServerAccess ¶
type S3ServerAccess struct {
BucketOwner *string `` /* 196-byte string literal not displayed */
Bucket *string `` /* 230-byte string literal not displayed */
Time *timestamp.RFC3339 `json:"time,omitempty" description:"The time at which the request was received (UTC)."`
RemoteIP *string `` /* 190-byte string literal not displayed */
Requester *string `` /* 329-byte string literal not displayed */
RequestID *string `json:"requestid,omitempty" description:"A string generated by Amazon S3 to uniquely identify each request."`
Operation *string `` /* 188-byte string literal not displayed */
Key *string `` /* 132-byte string literal not displayed */
RequestURI *string `json:"requesturi,omitempty" description:"The Request-URI part of the HTTP request message."`
HTTPStatus *int `json:"httpstatus,omitempty" validate:"omitempty,max=600,min=100" description:"The numeric HTTP status code of the response."`
ErrorCode *string `json:"errorcode,omitempty" description:"The Amazon S3 Error Code, or NULL if no error occurred."`
BytesSent *int `` /* 126-byte string literal not displayed */
ObjectSize *int `json:"objectsize,omitempty" description:"The total size of the object in question."`
TotalTime *int `` /* 330-byte string literal not displayed */
TurnAroundTime *int `` /* 254-byte string literal not displayed */
Referrer *string `` /* 223-byte string literal not displayed */
UserAgent *string `json:"useragent,omitempty" description:"The value of the HTTP User-Agent header."`
VersionID *string `` /* 133-byte string literal not displayed */
HostID *string `json:"hostid,omitempty" description:"The x-amz-id-2 or Amazon S3 extended request ID."`
SignatureVersion *string `` /* 166-byte string literal not displayed */
CipherSuite *string `` /* 136-byte string literal not displayed */
AuthenticationType *string `` /* 213-byte string literal not displayed */
HostHeader *string `json:"hostheader,omitempty" description:"The endpoint used to connect to Amazon S3."`
TLSVersion *string `` /* 194-byte string literal not displayed */
AdditionalFields []string `json:"additionalFields,omitempty" description:"The remaining columns in the record as an array."`
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type S3ServerAccessParser ¶
type S3ServerAccessParser struct {
CSVReader *csvstream.StreamingCSVReader
}
S3ServerAccessParser parses AWS S3 Server Access logs
func (*S3ServerAccessParser) LogType ¶
func (p *S3ServerAccessParser) LogType() string
LogType returns the log type supported by this parser
func (*S3ServerAccessParser) New ¶ added in v0.3.0
func (p *S3ServerAccessParser) New() parsers.LogParser
func (*S3ServerAccessParser) Parse ¶
func (p *S3ServerAccessParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type VPCDns ¶ added in v1.15.0
type VPCDns struct {
Version pantherlog.String `` /* 189-byte string literal not displayed */
AccountID pantherlog.String `json:"account_id" validate:"required" panther:"aws_account_id" description:"The ID of the AWS account that created the VPC."`
Region pantherlog.String `json:"region" validate:"required" description:"The AWS Region that you created the VPC in."`
VPCID pantherlog.String `json:"vpc_id" validate:"required" description:"The ID of the VPC that the query originated in."`
QueryTimestamp pantherlog.Time `` /* 195-byte string literal not displayed */
QueryName pantherlog.String `` /* 150-byte string literal not displayed */
QueryType pantherlog.String `` /* 177-byte string literal not displayed */
QueryClass pantherlog.String `json:"query_class" validate:"required" description:"The class of the query."`
Rcode pantherlog.String `` /* 422-byte string literal not displayed */
Answers []DNSAnswer `json:"answers" validate:"required" description:"Answers to the query"`
SrcAddr pantherlog.String `json:"srcaddr" validate:"required" panther:"ip" description:"The IP address of the instance that the query originated from."`
SrcPort pantherlog.String `json:"srcport" validate:"required" description:"The port on the instance that the query originated from."`
Transport pantherlog.String `json:"transport" validate:"required" description:"The protocol used to submit the DNS query."`
SrcIDs DNSSrcID `` /* 128-byte string literal not displayed */
}
nolint:lll
func (*VPCDns) WriteValuesTo ¶ added in v1.15.0
func (vpcdns *VPCDns) WriteValuesTo(w pantherlog.ValueWriter)
type VPCFlow ¶
type VPCFlow struct {
Version *int `` /* 165-byte string literal not displayed */
AccountID *string `json:"account,omitempty" validate:"omitempty,len=12,numeric" description:"The AWS account ID for the flow log."`
InterfaceID *string `json:"interfaceId,omitempty" description:"The ID of the network interface for which the traffic is recorded."`
SrcAddr *string `` /* 258-byte string literal not displayed */
DstAddr *string `` /* 262-byte string literal not displayed */
SrcPort *int `json:"srcPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The source port of the traffic."`
DstPort *int `json:"dstPort,omitempty" validate:"omitempty,min=0,max=65535" description:"The destination port of the traffic."`
Protocol *int `json:"protocol,omitempty" description:"The IANA protocol number of the traffic."`
Packets *int `json:"packets,omitempty" description:"The number of packets transferred during the flow."`
Bytes *int `json:"bytes,omitempty" description:"The number of bytes transferred during the flow."`
Start *timestamp.RFC3339 `json:"start,omitempty" validate:"required" description:"The time of the start of the flow (UTC)."`
End *timestamp.RFC3339 `json:"end,omitempty" validate:"required" description:"The time of the end of the flow (UTC)."`
Action *string `` /* 296-byte string literal not displayed */
LogStatus *string `` /* 413-byte string literal not displayed */
// extended custom fields
VpcID *string `json:"vpcId,omitempty" description:"The ID of the VPC that contains the network interface for which the traffic is recorded."`
SubNetID *string `` /* 131-byte string literal not displayed */
InstanceID *string `` /* 291-byte string literal not displayed */
TCPFlags *int `` /* 379-byte string literal not displayed */
Type *string `json:"trafficType,omitempty" description:"The type of traffic: IPv4, IPv6, or EFA."`
PacketSrcAddr *string `` /* 518-byte string literal not displayed */
PacketDstAddr *string `` /* 526-byte string literal not displayed */
// NOTE: added to end of struct to allow expansion later
AWSPantherLog
}
nolint:lll
type VPCFlowParser ¶
type VPCFlowParser struct {
CSVReader *csvstream.StreamingCSVReader
// contains filtered or unexported fields
}
VPCFlowParser parses AWS VPC Flow Parser logs
func (*VPCFlowParser) LogType ¶
func (p *VPCFlowParser) LogType() string
LogType returns the log type supported by this parser
func (*VPCFlowParser) New ¶ added in v0.3.0
func (p *VPCFlowParser) New() parsers.LogParser
func (*VPCFlowParser) Parse ¶
func (p *VPCFlowParser) Parse(log string) ([]*parsers.PantherLog, error)
Parse returns the parsed events or nil if parsing failed
type WAFWebACL ¶ added in v1.16.0
type WAFWebACL struct {
Action pantherlog.String `` /* 182-byte string literal not displayed */
FormatVersion pantherlog.Uint8 `json:"formatVersion" description:"The format version for the log."`
HTTPRequest HTTPRequest `json:"httpRequest" validate:"required" description:"The metadata about the request."`
HTTPSourceID pantherlog.String `json:"httpSourceId" validate:"required" description:"The source ID. This field shows the ID of the associated resource."`
HTTPSourceName pantherlog.String `` /* 199-byte string literal not displayed */
NonTerminatingMatchingRules []RuleDetail `` /* 189-byte string literal not displayed */
RateBasedRuleList []RateBasedRuleListDetail `json:"rateBasedRuleList" description:"The list of rate-based rules that acted on the request."`
RuleGroupList []RuleGroupListDetail `` /* 136-byte string literal not displayed */
TerminatingRuleID pantherlog.String `` /* 150-byte string literal not displayed */
TerminatingRuleMatchDetails []RuleMatchDetail `` /* 630-byte string literal not displayed */
TerminatingRuleType pantherlog.String `` /* 155-byte string literal not displayed */
Timestamp pantherlog.Time `json:"timestamp" validate:"required" tcodec:"unix_ms" event_time:"true" description:"The timestamp in milliseconds."`
WebACLID pantherlog.String `json:"webaclId" validate:"required" description:"The GUID of the web ACL."`
}
AWS WAF Web ACL Log event structure: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html File naming convention follows the Firehose delivery stream pattern: - https://docs.aws.amazon.com/firehose/latest/dev/basic-deliver.html#s3-object-name - The prefix `aws-waf-logs-` is mandatory for Web ACL logging delivery stream names. nolint:lll,maligned
Source Files
Click to show internal directories.
Click to hide internal directories.