Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support overriding/extending Plaso formatter definitions #2881

Merged
merged 8 commits into from
Sep 7, 2023
Merged

Support overriding/extending Plaso formatter definitions #2881

merged 8 commits into from
Sep 7, 2023

Conversation

berggren
Copy link
Contributor

@berggren berggren commented Sep 7, 2023

Plaso has a new feature where it is possible to provide your own formatter definition file that will override/extend the build in formatters. This enable us to alter some message strings to better align with Timesketch UX goals.

For example: We can show Event Log message strings up front whenever they are available.

closes: #2880

@berggren berggren self-assigned this Sep 7, 2023
@berggren berggren marked this pull request as ready for review September 7, 2023 09:56
@berggren berggren requested a review from jkppr September 7, 2023 09:56
jkppr
jkppr approved these changes Sep 7, 2023
View reviewed changes
Copy link
Collaborator

@jkppr jkppr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just one small comments for the 404 url.

data/plaso_formatters.yaml Outdated
# Plaso uses formatter definitions to format events into a human readable format.
# The formatter definitions are defined in YAML and loaded by Plaso at runtime.
# This file overrides or extend the default formatter definitions.
# For more information about the formatter definitions see: https://plaso.readthedocs.io/en/latest/sources/user/Windows-Event-Log-Files.html#event-log-message-formatters
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The URL results in a 404 page for me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I take it back - added a working link

data/plaso_formatters.yaml
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any documentation on the configuration format and what fields are available?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, that is on the plaso side and it only exist in code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wrong, there is documentation on the plaso side. I have linked it back in, with a working link this time :)

@berggren berggren merged commit 15a0ac5 into master Sep 7, 2023
27 checks passed
@berggren berggren deleted the plaso-formatters branch September 7, 2023 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkppr jkppr jkppr approved these changes

Assignees

@berggren berggren

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Override/extend Plaso formatter definitions
2 participants
@berggren @jkppr