Changed formatters to use configuration log2timeline#444

joachimmetz · Feb 23, 2020 · 64fec1c · 64fec1c
1 parent c75a297
commit 64fec1c
Show file tree

Hide file tree

Showing 22 changed files with 76 additions and 424 deletions.
diff --git a/data/formatters.yaml b/data/formatters.yaml
@@ -61,6 +61,48 @@ short_source: 'WebViewCache'
 source: 'Android WebViewCache'
 ---
 type: 'conditional'
+data_type: 'apache:access'
+message:
+- 'http_request: {http_request}'
+- 'from: {ip_address}'
+- 'code: {http_response_code}'
+- 'referer: {http_request_referer}'
+- 'user_agent: {http_request_user_agent}'
+- 'server_name: {server_name}'
+- 'port: {port_number}'
+short_message:
+- '{http_request}'
+- 'from: {ip_address}'
+short_source: 'LOG'
+source: 'Apache Access'
+---
+type: 'conditional'
+data_type: 'apt:history:line'
+message:
+- '{packages}'
+- '[{command}]'
+- '[{error}]'
+- '[{requester}]'
+short_message:
+- '{packages}'
+short_source: 'LOG'
+source: 'APT History Log'
+---
+type: 'basic'
+data_type: 'bash:history:command'
+message: 'Command executed: {command}'
+short_message: '{command}'
+short_source: 'LOG'
+source: 'Bash History'
+---
+type: 'basic'
+data_type: 'macosx:application_usage'
+message: '{application} v.{app_version} (bundle: {bundle_id}). Launched: {count} time(s)'
+short_message: '{application} ({count} time(s))'
+short_source: 'LOG'
+source: 'Application Usage'
+---
+type: 'conditional'
 data_type: 'windows:registry:amcache'
 message:
 - 'path: {full_path}'
@@ -97,3 +139,31 @@ short_message:
 - 'name: {name}'
 short_source: 'AMCACHEPROGRAM'
 source: 'Amcache Programs Registry Entry'
+---
+type: 'conditional'
+data_type: 'windows:registry:appcompatcache'
+message:
+- '[{key_path}]'
+- 'Cached entry: {entry_index}'
+- 'Path: {path}'
+short_message:
+- 'Path: {path}'
+short_source: 'REG'
+source: 'AppCompatCache Registry Entry'
+---
+type: 'basic'
+data_type: 'windows:registry:bagmru'
+message: '[{key_path}] {entries}'
+short_message: '[{key_path}] {entries}'
+short_source: 'REG'
+source: 'Registry Key : BagMRU'
+---
+type: 'conditional'
+data_type: 'windows:registry:bam'
+message:
+- '{binary_path}'
+- '[{user_sid}]'
+short_message:
+- '{binary_path}'
+short_source: 'REG'
+source: 'Background Activity Moderator Registry Entry'
diff --git a/plaso/formatters/__init__.py b/plaso/formatters/__init__.py
@@ -1,14 +1,7 @@
 # -*- coding: utf-8 -*-
 """This file contains an import statement for each formatter."""
 
-from plaso.formatters import apache_access
-from plaso.formatters import appcompatcache
-from plaso.formatters import appusage
-from plaso.formatters import apt_history
 from plaso.formatters import asl
-from plaso.formatters import bagmru
-from plaso.formatters import bam
-from plaso.formatters import bash_history
 from plaso.formatters import bencode_parser
 from plaso.formatters import bsm
 from plaso.formatters import ccleaner

diff --git a/plaso/formatters/apache_access.py b/plaso/formatters/apache_access.py
diff --git a/plaso/formatters/appcompatcache.py b/plaso/formatters/appcompatcache.py
diff --git a/plaso/formatters/appusage.py b/plaso/formatters/appusage.py
diff --git a/plaso/formatters/apt_history.py b/plaso/formatters/apt_history.py
diff --git a/plaso/formatters/bagmru.py b/plaso/formatters/bagmru.py
diff --git a/plaso/formatters/bam.py b/plaso/formatters/bam.py
diff --git a/plaso/formatters/bash_history.py b/plaso/formatters/bash_history.py
diff --git a/tests/formatters/apache_access.py b/tests/formatters/apache_access.py
diff --git a/tests/formatters/appcompatcache.py b/tests/formatters/appcompatcache.py
diff --git a/tests/formatters/appusage.py b/tests/formatters/appusage.py