Documentation
¶
Index ¶
- Variables
- func CreateRollingWritingSystem(fs afero.Fs, clock clock.Clock, tgtDir string, crashFunc func()) (output.ECSWriter, error)
- func CreateStandardWritingSystem(fs afero.Fs, clock clock.Clock, tgtDir string) (output.ECSWriter, error)
- func FormatTSVClose(header TSVHeader, closeTime time.Time) string
- func MapECSRecordsToTSVFiles(ecsRecords []input.ECSRecord) map[TSVFileType][]input.ECSRecord
- func OpenTSVFile(fs afero.Fs, clock clock.Clock, fileType TSVFileType, filePath string) (file afero.File, err error)
- func WriteTSVFooter(fileType TSVFileType, closeTime time.Time, fileWriter io.Writer) error
- func WriteTSVHeader(fileType TSVFileType, openTime time.Time, fileWriter io.Writer) error
- func WriteTSVLines(fileType TSVFileType, outputData []input.ECSRecord, fileWriter io.Writer) error
- type ConnTSV
- type DnsTSV
- type RollingWriter
- type StandardWriter
- type TSVFileType
- type TSVHeader
Constants ¶
This section is empty.
Variables ¶
var RegisteredTSVFileTypes []TSVFileType
RegisteredTSVFileTypes is initialized with the supported Zeek file types when the zeek package is imported See conn.go and dns.go.
Functions ¶
func CreateRollingWritingSystem ¶
func CreateRollingWritingSystem(fs afero.Fs, clock clock.Clock, tgtDir string, crashFunc func()) (output.ECSWriter, error)
CreateRollingWritingSystem constructs new rolling writer system
func CreateStandardWritingSystem ¶
func CreateStandardWritingSystem(fs afero.Fs, clock clock.Clock, tgtDir string) (output.ECSWriter, error)
CreateStandardWritingSystem Creates a single shot writer system
func FormatTSVClose ¶
FormatTSVClose returns the close footer that is included at the end of each Zeek TSV file
func MapECSRecordsToTSVFiles ¶
func MapECSRecordsToTSVFiles(ecsRecords []input.ECSRecord) map[TSVFileType][]input.ECSRecord
MapECSRecordsToTSVFiles maps the given Elastic Common Schema records to the Zeek files that they should be written to
func OpenTSVFile ¶
func OpenTSVFile(fs afero.Fs, clock clock.Clock, fileType TSVFileType, filePath string) (file afero.File, err error)
OpenTSVFile opens a Zeek TSV file at the given file path. If the file does not exist, this function creates the file and writes out the appropriate Zeek TSV header as described by the given Zeek file type.
func WriteTSVFooter ¶
WriteTSVFooter writes out the footer for a Zeek TSV file of the given type
func WriteTSVHeader ¶
WriteTSVHeader writes out the header for a newly opened Zeek TSV file of the given type
func WriteTSVLines ¶
WriteTSVLines writes out Elastic Common Schema records as lines of the given Zeek TSV file type to the given writer
Types ¶
type RollingWriter ¶
type RollingWriter struct {
// contains filtered or unexported fields
}
RollingWriter is our continuous writer, expects packet sessions in and will print to a spool file until the end of the hour and will rotate them
func (*RollingWriter) Close ¶
func (w *RollingWriter) Close() error
Close will close out the file progress and save everything from spool to main log output
func (*RollingWriter) WriteECSRecords ¶
func (w *RollingWriter) WriteECSRecords(outputData []input.ECSRecord) error
WriteECSRecords writes Elastic Common Schema records out to Zeek files
type StandardWriter ¶
type StandardWriter struct {
// contains filtered or unexported fields
}
StandardWriter is our standard, single output file, will first write everything to single spool then move them to an appropriate, time stamped log file
func (*StandardWriter) Close ¶
func (w *StandardWriter) Close() error
Close will close all open sessions and rotate everything from spool data to logs
func (*StandardWriter) WriteECSRecords ¶
func (w *StandardWriter) WriteECSRecords(outputData []input.ECSRecord) error
WriteECSRecords writes Elastic Common Schema records out to Zeek files
type TSVFileType ¶
type TSVFileType interface {
//Header returns a ZeekHeader struct detailing the format of this Zeek TSV file type
Header() TSVHeader
//FormatLines formats Elastic Common Schema records as lines of this Zeek TSV file type
FormatLines(outputData []input.ECSRecord) (output string, err error)
//HandlesECSRecord turns true if the data in the given ECS record can be formatted as a line of this Zeek TSV file type
HandlesECSRecord(data input.ECSRecord) bool
}
TSVFileType provides methods for formatting ECSRecords as Zeek TSV entries
type TSVHeader ¶
type TSVHeader struct {
Separator string
SetSeparator string
EmptyField string
UnsetField string
Path string
OpenTime time.Time
Fields []string
Types []string
}
TSVHeader represents the header fields of a Zeek TSV document
Source Files