{"id":31892258,"url":"https://github.com/nextronsystems/jsonlog","last_synced_at":"2026-02-25T08:42:13.021Z","repository":{"id":318476805,"uuid":"800347252","full_name":"NextronSystems/jsonlog","owner":"NextronSystems","description":"Definitions of structures used in THOR JSON logs","archived":false,"fork":false,"pushed_at":"2026-02-20T11:08:46.000Z","size":229,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2026-02-20T15:29:18.461Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NextronSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-05-14T06:53:56.000Z","updated_at":"2026-02-20T11:08:47.000Z","dependencies_parsed_at":"2025-10-07T13:19:08.344Z","dependency_job_id":"5f10bdb6-102c-4121-8d7c-267f80b431cb","html_url":"https://github.com/NextronSystems/jsonlog","commit_stats":null,"previous_names":["nextronsystems/jsonlog"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/NextronSystems/jsonlog","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fjsonlog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fjsonlog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fjsonlog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fjsonlog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NextronSystems","download_url":"https://codeload.github.com/NextronSystems/jsonlog/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fjsonlog/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29815028,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-25T05:36:42.804Z","status":"ssl_error","status_checked_at":"2026-02-25T05:36:31.934Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-13T08:47:32.412Z","updated_at":"2026-02-25T08:42:13.016Z","avatar_url":"https://github.com/NextronSystems.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# THOR structure definitions\n\n## Introduction\n\nThis library provides definitions of structures used in the output of the THOR APT Forensic Scanner. These structures can be used for different use cases:\n- generate a schema for THOR JSON logs\n- convert JSON logs into text logs\n- parse JSON logs\n\n## Versions\n\nThere are three versions of the THOR log format:\n\n - v1: The original THOR log format, used up to and including THOR version 10.7. This is equivalent to the THOR text format, simply serialized as JSON.\n - v2: The format used in THOR version 10.7 with the `--jsonv2` flag. This format introduced a more structured approach to logging,\n   with subobjects for reasons, files, and other entities. It is largely open-ended and allows for custom fields.\n - v3: The format used in THOR 11 and later. This format is more strict and versioned, with a defined schema. It introduces the concept of _reportable objects_.\n\n## Parsing Events\n\nThere is a parser in the `thorlog/parser` package which can be used to parse an event.\nThis parser is version aware and can handle all versions of the THOR log format.\nThe result of the parsing is a `common.Event` object, which is a version-agnostic representation of a THOR event.\nIt can be cast to the version-specific implementation of this interface, e.g. `thorlog.Finding` for a finding in version 3.\n\n## Textlog Conversion\n\nThe `jsonlog.TextlogFormatter` type provides a way to convert an object to a text log format.\n\nThis formatter can be used to convert findings and messages to a human-readable format.\nHowever, the text log format is not as rich as the JSON format and may not contain all fields.\nWhen in doubt, use the JSON format for analysis.\n\n## Objects in JSON Log Version 3\n\nEach object in the THOR log contains a `type` field that indicates the object type.\nThis type determines how the object should be interpreted and what fields it contains.\n\n### Event Types\n\nThe object types contained in a THOR log are `THOR finding` and `THOR message`:\n - Findings are the results of THOR's analysis, such as detected threats or anomalies.\n - Messages are informational or status updates from THOR, such as progress updates.\n\nBoth findings and messages are together called _events_.\n\n### Reportable Objects\n\nFindings may contain more objects, e.g. as a subject that they report. \nObject types that can appear as subjects are called _reportable objects_.\nThe most common reportable objects are:\n- `file`\n- `process`\n\nReportable objects should contain only fields that relate directly to the object itself.\nE.g. when extracting a file from an archive, the file object should contain only fields \nthat relate to the file itself, not to the archive.\nThe archive data will instead appear in the _context_ of the finding.\n\n## Schema\n\nA schema for the version 3 format is attached to each release.\nIt can also be generated using the `thorlog/jsonschema` package.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fjsonlog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnextronsystems%2Fjsonlog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fjsonlog/lists"}