msticpy.analysis.syslog_utils module
syslog_utils - Syslog parsing and utility module.
Functions required to correct collect, parse and visualize syslog data.
Designed to support standard linux syslog for investigations where auditd is not available.
- msticpy.analysis.syslog_utils.cluster_syslog_logons_df(logon_events: DataFrame) DataFrame
Cluster logon sessions in syslog by start/end time based on PAM events.
- Parameters:
logon_events (pd.DataFrame) – A DataFrame of all syslog logon events (can be generated with LinuxSyslog.user_logon query)
- Returns:
logon_sessions – A dictionary of logon sessions including start and end times and logged on user
- Return type:
pd.DataFrame
- Raises:
MsticpyException – There are no logon sessions in the supplied data set
- msticpy.analysis.syslog_utils.create_host_record(syslog_df: DataFrame, heartbeat_df: DataFrame, az_net_df: DataFrame | None = None) Host
Generate host_entity record for selected computer.
- Parameters:
syslog_df (pd.DataFrame) – A dataframe of all syslog events for the host in the time window requried
heartbeat_df (pd.DataFrame) – A dataframe of heartbeat data for the host
az_net_df (pd.DataFrame) – Option dataframe of Azure network data for the host
- Returns:
Details of the host data collected
- Return type:
- msticpy.analysis.syslog_utils.risky_sudo_sessions(sudo_sessions: DataFrame, risky_actions: dict | None = None, suspicious_actions: list | None = None) dict
Detect if a sudo session occurs at the point of a suspicious event.
- Parameters:
sudo_sessions (dict) – Dictionary of sudo sessions (as generated by cluster_syslog_logons)
risky_actions (dict (Optional)) – Dictionary of risky sudo commands (as generated by cmd_line.risky_cmd_line)
suspicious_actions (list (Optional)) – List of risky sudo commands (as generated by cmd_line.cmd_speed)
- Returns:
risky_sessions – A dictionary of sudo sessions with flags denoting risk
- Return type:
dict