diff --git a/plaso/parsers/jsonl_plugins/gcp_log.py b/plaso/parsers/jsonl_plugins/gcp_log.py index 4398516499..7e18f96a49 100644 --- a/plaso/parsers/jsonl_plugins/gcp_log.py +++ b/plaso/parsers/jsonl_plugins/gcp_log.py @@ -36,6 +36,8 @@ class GCPLogEventData(events.EventData): service_account_display_name (str): display name of the service account. service_name (str): name of the servie. severity (str): log entry severity. + status_message (str): the status message of the request. + status_reason (str): the reason behind the status message. text_payload (str): text payload for logs not using a JSON or proto payload. user (str): user principal performing the logged action. """ @@ -68,6 +70,8 @@ def __init__(self): self.service_account_display_name = None self.service_name = None self.severity = None + self.status_message = None + self.status_reason = None self.text_payload = None self.user = None @@ -129,6 +133,17 @@ def _ParseProtoPayload(self, json_dict, event_data): if method_name and not event_data.event_subtype: event_data.event_subtype = method_name + status = self._GetJSONValue(proto_payload, 'status') + if status: + event_data.status_message = self._GetJSONValue(status, 'message') + status_details = self._GetJSONValue(status, 'details') + if status_details: + temp_reason = [] + for status_detail in status_details: + temp_reason.append(self._GetJSONValue(status_detail, 'reason')) + if temp_reason: + event_data.status_reason = ';'.join(temp_reason) + self._ParseProtoPayloadRequest(proto_payload, event_data) self._ParseProtoPayloadServiceData(proto_payload, event_data)