Feature Request Cisco ASA Logfiles

[Moneysac90]

Currently Cisco ASA Logfiles cannot be processed. See example file attached.

cisco_ASA_example.log

[joachimmetz]

@Moneysac90 do you plan to work on this?

[Moneysac90]

@joachimmetz

Yes I am already trying but I just don't understand how log2timeline (or psteal.py) calls the parsers. I followed the documentation and I executed the following command:

log2timeline.py --parsers cisco_asa ../test_data/cisco_ASA.log --artifact_definitions ../test_data/artifacts/artifacts.yaml

this results in an error every single time:

Source path             : /home/parallels/plaso/test_data/cisco_ASA.log
Source type             : single file
Processing time         : 00:00:00

Processing started.
Unknown parser or plugin names in element(s): "cisco_asa" of parser filter expression: cisco_asa

It would also be great to have some kind of development template. So anyone who wants to develop a new parser can start programming the logic rather than messing with the log2time architecture.

[joachimmetz]

And this is not providing you sufficient information?

• https://plaso.readthedocs.io/en/latest/sources/developer/index.html
• https://plaso.readthedocs.io/en/latest/sources/developer/How-to-write-a-parser.html
• https://plaso.readthedocs.io/en/latest/sources/developer/How-to-write-a-parser.html#writing-a-parser

[Moneysac90]

@joachimmetz Unfortunately not. I followed the documentation and created the parser (cisco_asa.py). The location is /parsers/text_plugins/cisco_asa.py. I also included the imports in the __init__.py files.

How do I call log2timeline.py to specify my own parser?

log2timeline.py --info does also not show my parser.

[joachimmetz]

without the code hard for me to tell, do you have a WIP branch somewhere?

[Moneysac90]

@joachimmetz

I just forked the repository and added the changed files. Please see:

Moneysac90@a95e721

[joachimmetz]

log2timeline.py --info does also not show my parser.

to double check you are running with the edited version as your main log2timeline module?

PYTHONPATH=. tools/log2timeline.py --info

[joachimmetz]

PYTHONPATH=. ./tools/log2timeline.py --info
Traceback (most recent call last):
  File "plaso/./tools/log2timeline.py", line 11, in <module>
    from plaso.cli import log2timeline_tool
  File "plaso/plaso/cli/log2timeline_tool.py", line 14, in <module>
    from plaso.cli import extraction_tool
  File "plaso/plaso/cli/extraction_tool.py", line 20, in <module>
    from plaso import parsers  # pylint: disable=unused-import
    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "plaso/plaso/parsers/__init__.py", line 62, in <module>
    from plaso.parsers import text_plugins
  File "plaso/plaso/parsers/text_plugins/__init__.py", line 9
    from plaso.parsers.text_plugins import cisco.asa

Looks like you have a rogue incorrect import in your __init__.py remove from plaso.parsers.text_plugins import cisco.asa

[joachimmetz]

Some more issues in the code:

AttributeError: type object 'CiscoASA' has no attribute 'NAME'

Looks like you're registering the event data object as a text parser plugin in Moneysac90@a95e721#diff-8faecfb4fbda4f18715f4649930bf2f42291b1633446038fa33fb420ae4bdb72R308

[joachimmetz]

After making those changes PYTHONPATH=. tools/log2timeline.py --info works fine for me on your changes

[Moneysac90]

okay, thanks for pointing out the issues. Unfortunately I encounter the next issue:

PYTHONPATH=. tools/log2timeline.py --data test_data/cisco_ASA.log --parsers plaso/parsers/text_plugins/cisco_asa.py 
2023-05-16 20:16:35,778 [INFO] (MainProcess) PID:574547 <data_location> Determined data location: test_data/cisco_ASA.log
ERROR: No such parser presets file: test_data/cisco_ASA.log/presets.yaml.

How can I call my parser (cisco_asa.py) to specifically parse the example log file cisco_ASA.log ?

[joachimmetz]

PYTHONPATH=. tools/log2timeline.py  --parsers cisco_asa test_data/cisco_ASA.log

[joachimmetz]

@Moneysac90 were you planning to submit your changes as a PR?