Logchecker

Getting started

• make sure you have installed Python3
• logchecker depends on pyeti module which is not in PyPI, however, this module should be installed directly from GitHub with any of the methods described below

Use logchecker with installation

• when logchecker is installed as a Python module, it also comes with logchecker script which could be directly executed (depending on Python installation and PATH environment variable)

Using setup.py

• download this repository as a ZIP or using git clone https://github.com/Lifars/log-checker.git
• run inside of this repository command python3 setup.py install on Linux or setup.py install on Windows
• run command logchecker or python3 -m logchecker

Using pip3

• just run command pip3 install git+https://github.com/yeti-platform/pyeti git+https://github.com/Lifars/log-checker.git
• run command logchecker or python3 -m logchecker

Use logchecker without installation

• install dependencies with pip3 install -r requirements.txt
• run command python3 -m logchecker from this directory

User guide

Logchecker supports text-based log files, Windows EVTX logs and any plaintext file. Please note that working with EVTX files in Python is slow. It can be faster to use some other tool to convert EVTX file to text file and run logchecker on that file.

Assume you want to check log file auth.log. Information needed to connect to YETI is in config.ini

The following command will find all IP addresses, domain names and hashes in auth.log, check them in YETI and print information (value, tags, created, sources, original log) to STDOUT in CSV format.

logchecker -c config.ini -f auth.log

All options

usage: logchecker [-h] [-c CONFIG] -f FILE [-o OUTPUT] [-a] [-d] [-H] [-A]
               [-C | -j] [-u URL] [-k KEY]

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
						Config file path. Config file should contain url of
						YETI database, authorization key and output format. If
						it is present, it overrides --url, --key and
						--csv/--json options.
  -f FILE, --file FILE  [REQUIRED] Log file path.
  -o OUTPUT, --output OUTPUT
						Output file path. If file does not exist, creates new
						file.If not specified, output is printed to STDOUT.
  -a, --address         Search only for ip addresses. If none of the address,
						domain or hash flag is specified, it search for all
						mentioned.
  -d, --domain          Search only for domains. If none of the address,
						domain or hash flag is specified, it search for all
						mentioned.
  -H, --hash            Search only for hashes. If none of the address, domain
						or hash flag is specified, it search for all
						mentioned.
  -A, --all             Show all values in logs. By default it shows only
						values which have record in database.
  -C, --csv             Output in CSV format. This is default option.
  -j, --json            Output in JSON format. By default output is in CSV
						format.
  -u URL, --url URL     URL of YETI instance.
  -k KEY, --key KEY     API key for YETI.

Configuration file

Configuration file should be in INI format. It should contain URL of YETI instance, API key for YETI and output format.

Here is an example of configuration file:

[DEFAULT]
url = http://localhost:5000/api/
api_key = abc123
output_format = json

Note: Values from configuration file override values from command line arguments.