logdata-anomaly-miner 0.0.7-1 / etc / aminer / conf-available / generic / EximParsingModel.py

This file is indexed.

/etc/aminer/conf-available/generic/EximParsingModel.py is in logdata-anomaly-miner 0.0.7-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
from aminer.parsing import AnyByteDataModelElement
from aminer.parsing import DecimalIntegerValueModelElement
from aminer.parsing import DelimitedDataModelElement
from aminer.parsing import FirstMatchModelElement
from aminer.parsing import FixedDataModelElement
from aminer.parsing import FixedWordlistDataModelElement
from aminer.parsing import IpAddressDataModelElement
from aminer.parsing import OptionalMatchModelElement
from aminer.parsing import SequenceModelElement
from aminer.parsing import WhiteSpaceLimitedDataModelElement

def getModel(userNameModel=None):
  """This function defines how to parse a su session information message
after any standard logging preamble, e.g. from syslog."""

  typeChildren=[]
  typeChildren.append(SequenceModelElement('queue', [
      FixedWordlistDataModelElement('type', ['Start', 'End']),
      FixedDataModelElement('s0', ' queue run: pid='),
      DecimalIntegerValueModelElement('pid')]))

  typeChildren.append(SequenceModelElement('rec-log', [
      WhiteSpaceLimitedDataModelElement('id'),
      FixedDataModelElement('s0', ' <= '),
      WhiteSpaceLimitedDataModelElement('env-from'),
      FirstMatchModelElement('source', [
          SequenceModelElement('network', [
              FixedDataModelElement('s0', ' H=('),
              DelimitedDataModelElement('hostname', ') '),
              FixedDataModelElement('s1', ') ['),
              IpAddressDataModelElement('hostip'),
              FixedDataModelElement('s2', ']')]),
          SequenceModelElement('user', [
              FixedDataModelElement('s0', ' U='),
              WhiteSpaceLimitedDataModelElement('user')])
      ]),
      FixedDataModelElement('s2', ' P='),
      WhiteSpaceLimitedDataModelElement('proto'),
      FixedDataModelElement('s3', ' S='),
      DecimalIntegerValueModelElement('size'),
      OptionalMatchModelElement('idopt', SequenceModelElement('iddata', [
          FixedDataModelElement('s0', ' id='),
          AnyByteDataModelElement('id')]))
  ]))

  typeChildren.append(SequenceModelElement('send-log', [
      WhiteSpaceLimitedDataModelElement('id'),
# Strange: first address seems to use different separator than
# second one.
      FixedWordlistDataModelElement('s0', [' => ', ' ->' ]),
      DelimitedDataModelElement('env-to', ' R='),
      FixedDataModelElement('s1', ' R='),
      WhiteSpaceLimitedDataModelElement('route'),
      FixedDataModelElement('s2', ' T='),
      WhiteSpaceLimitedDataModelElement('transport'),
      AnyByteDataModelElement('unparsed')
  ]))

  typeChildren.append(SequenceModelElement('sent', [
      WhiteSpaceLimitedDataModelElement('id'),
      FixedDataModelElement('s0', ' Completed')]))

  typeChildren.append(SequenceModelElement('started', [
      FixedDataModelElement('s0', ' exim '),
      WhiteSpaceLimitedDataModelElement('version'),
      FixedDataModelElement('s1', ' daemon started: pid='),
      DecimalIntegerValueModelElement('pid'),
      FixedDataModelElement('s2', ', -q30m, listening for SMTP on [127.0.0.1]:25')
  ]))

  model=SequenceModelElement('exim', [
      FixedDataModelElement('sname', 'exim['),
      DecimalIntegerValueModelElement('pid'),
      FixedDataModelElement('s0', ']: '),
      FirstMatchModelElement('msg', typeChildren)])
  return(model)

APT Browse - Built by Thomas Orozco.