msticpy.analysis.syslog_utils module

syslog_utils - Syslog parsing and utility module.

Functions required to correct collect, parse and visualize syslog data.

Designed to support standard linux syslog for investigations where auditd is not available.

msticpy.analysis.syslog_utils.cluster_syslog_logons_df(logon_events: DataFrame) DataFrame

Cluster logon sessions in syslog by start/end time based on PAM events.

Parameters:

logon_events (pd.DataFrame) – A DataFrame of all syslog logon events (can be generated with LinuxSyslog.user_logon query)

Returns:

logon_sessions – A dictionary of logon sessions including start and end times and logged on user

Return type:

pd.DataFrame

Raises:

MsticpyException – There are no logon sessions in the supplied data set

msticpy.analysis.syslog_utils.create_host_record(syslog_df: DataFrame, heartbeat_df: DataFrame, az_net_df: DataFrame | None = None) Host

Generate host_entity record for selected computer.

Parameters:
  • syslog_df (pd.DataFrame) – A dataframe of all syslog events for the host in the time window requried

  • heartbeat_df (pd.DataFrame) – A dataframe of heartbeat data for the host

  • az_net_df (pd.DataFrame) – Option dataframe of Azure network data for the host

Returns:

Details of the host data collected

Return type:

Host

msticpy.analysis.syslog_utils.risky_sudo_sessions(sudo_sessions: DataFrame, risky_actions: dict | None = None, suspicious_actions: list | None = None) dict

Detect if a sudo session occurs at the point of a suspicious event.

Parameters:
  • sudo_sessions (dict) – Dictionary of sudo sessions (as generated by cluster_syslog_logons)

  • risky_actions (dict (Optional)) – Dictionary of risky sudo commands (as generated by cmd_line.risky_cmd_line)

  • suspicious_actions (list (Optional)) – List of risky sudo commands (as generated by cmd_line.cmd_speed)

Returns:

risky_sessions – A dictionary of sudo sessions with flags denoting risk

Return type:

dict