|get_version()||Return the version number of the input module|
|get_description()||Returns a string that contains a short description of the functionality if the input module. When a list of all available input modules is printed using <B>log2timelineB> this string is used. So this string should be a very short description, mostly to say which type of log file/artifact/directory this input module is designed to parse.|
|prepare_file( $file, @ARGV )||
The purpose of this subfunction is to prepare the log file or artifact for parsing. Usually this involves just opening the file (if plain text) or otherwise building a structure that can be used by other functions.
This function accepts the path to the log file/directory/artifact to parse as well as an array containing the parameters passed to the input module. These parameters are used to adjust settings of the input module, such as to provide a username and a hostname to include in the timeline.
The function returns an integer indicating whether or not it was successful at preparing the input file/directory/artifact for further processing.
This function starts by checking if there are any lines in the log file/artifacts that have a date variable inside that needs to be parsed. It then loads the line (or an index value) in a global variable that can be read by the function parse_line and returns the value 1 to the main script, indicating that a line has been loaded.
When all of the lines in the log file/directory/artifact have been parsed a zero is returned to the main script, indicating that there are no more lines to parse
A subroutine that closes the file, after it has been parsed and performs any additional operations needed to close the file/directory/artifact that was parsed (such as to disconnect any database connections)
The subroutine returns an integer indicating whether or not it was successful at closing the file.
This is the main subroutine of the format file (or often it is). It depends on the subroutine load_line that loads a line of the log file into a global variable and then parses that line to produce the hash t_line, which is read and sent to the output modules by the main script to produce a timeline or a bodyfile.
The content of the hash t_line is the following:
The subroutine return a reference to the hash (t_line) that will be used by the main script (<B>log2timelineB>) to produce the actual timeline. The hash is processed by the main script before forwarding it to an output module for the actual printing of a bodyfile.
|get_help()||A simple subroutine that returns a string containing the help message for this particular input module. This also contains a longer description of the input module describing each parameter that can be passed to the subroutine. It sometimes contains a list of all dependencies and possibly some instruction on how to install them on the system to make it easier to implement the input module.|
|verify( $log_file )||
This subroutine takes as an argument the file name to be parsed (file/dir/artifact) and verifies its structure to determine if it is really of the correct format.
It is also important to validate the file since the scanner function will try to parse every file it finds, and uses this verify function to determine whether or not a particular file/dir/artifact is supported or not. It is therefore very important to implement this function and make it verify the file structure without false positives and without taking too long time
This subroutine returns a reference to a hash that contains two values
Kristinn Gudjonsson <kristinn (a t) log2timeline ( d o t ) net> is the original author of the program.
The tool is released under GPL so anyone can contribute to the tool. Copyright 2009.
|perl v5.20.3||LOG2T::INPUT::FTK_DIRLISTING (3)||2012-05-22|