Added multiple TeamViewer text log file parser plugins (log2timeline#…

…4847)
joachimmetz · Apr 2, 2024 · 0e88ae0 · 0e88ae0
1 parent dab1e79
commit 0e88ae0
Show file tree

Hide file tree

Showing 11 changed files with 1,803 additions and 2 deletions.
diff --git a/ACKNOWLEDGEMENTS b/ACKNOWLEDGEMENTS
@@ -45,7 +45,7 @@ Thanks to contributors (alphabetically based on last name):
     * PL-SQL recall (PLSRecall.dat)
 * Eric Mak
 * Preston Miller
-  *Windows Registry Plugins
+  * Windows Registry Plugins
     * SAM Users
     * Shutdown
     * USB
@@ -91,6 +91,10 @@ Thanks to contributors (alphabetically based on last name):
     * USBStor
     * Win7 UserAssist
     * WinRar
+* Atte Niemi
+  * Parsers
+    * Windows User Access Logging (UAL)
+    * TeamViewer
 * Patrik Nisen
   * For providing input for parsing the DestList stream for the automatic
     destinations OLECF plugin

diff --git a/docs/sources/user/Parsers-and-plugins.md b/docs/sources/user/Parsers-and-plugins.md
@@ -211,6 +211,7 @@ snort_fastlog | Parser for Snort3/Suricata fast-log alert log (fast.log) files.
 sophos_av | Parser for Sophos anti-virus log file (SAV.txt) files.
 syslog | Parser for System log (syslog) files.
 syslog_traditional | Parser for Traditional system log (syslog) files.
+teamviewer | Parser for TeamViewer log files.
 viminfo | Parser for Viminfo files.
 vsftpd | Parser for vsftpd log files.
 winfirewall | Parser for Windows Firewall log files.

diff --git a/plaso/data/formatters/generic.yaml b/plaso/data/formatters/generic.yaml
@@ -918,7 +918,7 @@ short_message:
 short_source: 'LOG'
 source: 'SSH Log'
 ---
-# It would be nice to have the _MACHINE_ID field, which is a unique identifier
+# It would be nice to have the _MACHINE_ID field, which is an unique identifier
 # for the system, and hopefully more unique than the _HOSTNAME field.
 # Unfortunately, journal files that have not been closed cleanly may contain
 # entries that have no _MACHINE_ID field.
@@ -958,6 +958,48 @@ short_message:
 short_source: 'LOG'
 source: 'Systemd journal'
 ---
+type: 'conditional'
+data_type: 'teamviewer:application_log:entry'
+message:
+- '[pid: {process_identifier}]'
+- '{body}'
+short_message:
+- '{body}'
+source: 'TeamViewer application log'
+short_source: 'LOG'
+---
+type: 'conditional'
+data_type: 'teamviewer:connections_incoming:entry'
+message:
+- 'Source TeamViewer identifier: {source_identifier}'
+- 'Connection identifier: {connection_identifier}'
+- 'Activity type: {activity_type}'
+- 'Display name: {display_name}'
+- 'Local account: {local_account}'
+short_message:
+- '{source_identifier}'
+- '{connection_identifier}'
+- '{activity_type}'
+- '{display_name}'
+- '{local_account}'
+source: 'TeamViewer incoming connections log'
+short_source: 'LOG'
+---
+type: 'conditional'
+data_type: 'teamviewer:connections_outgoing:entry'
+message:
+- 'Destination TeamViewer identifier: {destination_identifier}'
+- 'Connection identifier: {connection_identifier}'
+- 'Activity type: {activity_type}'
+- 'Local account: {local_account}'
+short_message:
+- '{destination_identifier}'
+- '{connection_identifier}'
+- '{activity_type}'
+- '{local_account}'
+source: 'TeamViewer outgoing connections log'
+short_source: 'LOG'
+---
 type: 'basic'
 data_type: 'text:entry'
 message: '{text}'

diff --git a/plaso/data/presets.yaml b/plaso/data/presets.yaml
@@ -151,6 +151,9 @@ parsers:
 - text/setupapi
 - text/skydrive_log_v1
 - text/skydrive_log_v2
+- text/teamviewer_application_log
+- text/teamviewer_connections_incoming
+- text/teamviewer_connections_outgoing
 - text/winfirewall
 - usnjrnl
 - webhist

diff --git a/plaso/data/timeliner.yaml b/plaso/data/timeliner.yaml
@@ -1291,6 +1291,28 @@ attribute_mappings:
   description: 'Unknown Time'
 place_holder_event: true
 ---
+data_type: 'teamviewer:application_log:entry'
+attribute_mappings:
+- name: 'recorded_time'
+  description: 'Recorded Time'
+place_holder_event: true
+---
+data_type: 'teamviewer:connections_incoming:entry'
+attribute_mappings:
+- name: 'end_time'
+  description: 'End Time'
+- name: 'start_time'
+  description: 'Start Time'
+place_holder_event: true
+---
+data_type: 'teamviewer:connections_outgoing:entry'
+attribute_mappings:
+- name: 'end_time'
+  description: 'End Time'
+- name: 'start_time'
+  description: 'Start Time'
+place_holder_event: true
+---
 data_type: 'viminfo:history'
 attribute_mappings:
 - name: 'recorded_time'

diff --git a/plaso/parsers/text_plugins/__init__.py b/plaso/parsers/text_plugins/__init__.py
@@ -29,6 +29,7 @@
 from plaso.parsers.text_plugins import snort_fastlog
 from plaso.parsers.text_plugins import sophos_av
 from plaso.parsers.text_plugins import syslog
+from plaso.parsers.text_plugins import teamviewer
 from plaso.parsers.text_plugins import viminfo
 from plaso.parsers.text_plugins import vsftpd
 from plaso.parsers.text_plugins import winfirewall