Module s4lib::data

The data module is specialized data containers for Blocks, Lines, Syslines, FixedStruct, Evtx, and JournalEntrys.

Definitions of data

Sysline

A Sysline is composed of several specialized structs.

Block

A “block” is a sequence of contiguous bytes in a file that:

• have the same length as other blocks in the file, except for the last block which has an equal or lesser length.

A “block” is represented by a Block and retrieved by a BlockReader.

Line

A “line” is sequence of bytes residing on “blocks” that:

• begin after a prior “line” or the beginning of a file.
• end with a newline character '\n' or the end of a file.

A “line” is represented by a Line and found by a LineReader.

Sysline

A “sysline” is sequence of “lines” that:

• have a datetime stamp on the first “line”.
• have a datetime stamp format similar to other “sysline“s in the same file.

A “sysline” is represented by a Sysline and found by a SyslineReader.

A Sysline represents a “log message”.

It is not necessarily referring to an RFC 5424 compliant log message.

Syslog

A “syslog” is a file that:

• has a certain minimum of “sysline“s.

A “syslog” is processed by a SyslogProcessor.

In this project and source code, “syslog” is used loosely; it is not necessarily referring to an RFC 5424 compliant log file.

FixedStruct

A FixedStruct is information about a processed acct, lastlog, lastlogx, utmp, or utmpx record-keeping C struct. It is processed by a FixedStructReader. It uses an underlying BlockReader to read from the file.

A FixedStruct entry represents a “log message”.

Evtx

A Evtx is information about a processed evtx structure processed from a file. It is processed by a EvtxReader.

An Evtx represents a “log message”.

Journal

A JournalEntry is information about a processed systemd journal entry. It is processed by a JournalReader.

A JournalEntry represents a “log message”.

The “Readers” are not rust “Readers”; “Reader” structs do not implement the trait Read. These are “readers” in an informal sense.

Also see Overview of readers.

Modules

• common
  Common types and constants for readers.
• datetime
  Functions to perform regular expression (“regex”) searches on bytes and transform matches to chrono DateTime instances.
• evtx
  Implement Evtx for EvtxRecord.
• fixedstruct
  Implement FixedStruct to represent Unix record-keeping C structs. This includes acct, lastlog, lastlogx, utmp, and utmpx formats for various operating systems and architectures.
• journal
  Data representation of .journal file log message entries.
• line
  Implement Line and underlying LinePart structs.
• sysline
  Implements a Sysline struct.