Trait usiem::components::parsing::MultilineLogParser
source · pub trait MultilineLogParser: DynClone + Send {
fn parse_log(
&mut self,
log: SiemLog,
datasets: &DatasetHolder
) -> Result<Option<SiemLog>, LogParsingError>;
fn name(&self) -> &str;
fn description(&self) -> &str;
fn cleaning(&mut self) -> Vec<SiemLog>;
fn unused(&mut self) -> Vec<SiemLog>;
fn schema(&self) -> &'static FieldSchema;
}Expand description
This is the most complex type of parser. It’s statefull to store past logs. Think of the USB event in linux, we need the rest of the logs to extract all information. The Parser component which uses this parsers must be able to store and load past Logs if the user connects to a different SIEM node (LoadBalancing).
Required Methods
sourcefn parse_log(
&mut self,
log: SiemLog,
datasets: &DatasetHolder
) -> Result<Option<SiemLog>, LogParsingError>
fn parse_log(
&mut self,
log: SiemLog,
datasets: &DatasetHolder
) -> Result<Option<SiemLog>, LogParsingError>
Parse the log. If it fails it must give a reason why. This allow optimization of the parsing process.
sourcefn description(&self) -> &str
fn description(&self) -> &str
Description of the parser
sourcefn cleaning(&mut self) -> Vec<SiemLog>
fn cleaning(&mut self) -> Vec<SiemLog>
The connection with the origin has been closed. We must preserve the logs stored inside this parser so another node can use them to parse the logs of the same machine.
sourcefn unused(&mut self) -> Vec<SiemLog>
fn unused(&mut self) -> Vec<SiemLog>
Return those logs that would not be used by the parser, or are older as to reduce the memmory usage.
sourcefn schema(&self) -> &'static FieldSchema
fn schema(&self) -> &'static FieldSchema
Get parser schema