search

google / turbinia

Automation and Scaling of Digital Forensics Tools
Apache License 2.0
749 stars 162 forks source link

[Bug]: Plaso check for events broken #1366

Closed aarontp closed 1 year ago

aarontp commented 1 year ago

What steps will reproduce the bug?

Run Plaso task on GoogleCloudDisk.

What is the expected behavior?

Plaso timeline output

What do you see instead?

Plaso result was not returned because it says that no results were found.

$ turbinia-client status task 2a6eda8baeb74a5787e7fc58f244a934
2023-10-07 13:26:49,108 INFO turbinia - Using configuration instance name -> default with host http://localhost:8000
## PlasoParserTask (MEDIUM PRIORITY)
* **Evidence:** GoogleCloudDisk
* **Status:** Completed successfully in 0:00:22.464938 on osdfir-release-turbinia-worker-869ccbdbdf-bjnjn. Not adding evidence /mnt/turbiniavolume/output/f3bbc4d90c2a4e7792ccdc90dcb3bac3/1696379566-2a6eda8baeb74a5787e7fc58f244a934-PlasoParserTask/2a6eda8baeb74a5787e7fc58f244a934.plaso. Evidence validation failed with error: PlasoFile validation failed, pinfo.py found no events.
* Task Id: 2a6eda8baeb74a5787e7fc58f244a934
* Executed on worker osdfir-release-turbinia-worker-869ccbdbdf-bjnjn

Looking at the pinfo.py output there are actually results in the file though:

root@7bc7206d51e3:/# pinfo.py /mnt/turbinia/output/tmp/2a6eda8baeb74a5787e7fc58f244a934.plaso 

************************** Plaso Storage Information ***************************
            Filename : 2a6eda8baeb74a5787e7fc58f244a934.plaso
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
4aaf0e28-1ef6-4d50-9fa0-53114a29564b : 2023-10-04T00:32:49.530712+00:00
--------------------------------------------------------------------------------

******************************** Event sources *********************************
Total : 1605
--------------------------------------------------------------------------------

No events stored.

No events labels stored.

No warnings stored.

No analysis reports stored.

Additional information

No response

aarontp commented 1 year ago

FYI @jleaniz

aarontp commented 1 year ago

Some Plaso tasks from this processing request successfully returned results though.

jleaniz commented 1 year ago

Reading the output you posted, it looks like it has no events? It says "No events stored". IIRC, the event sources total is a different thing.

root@7bc7206d51e3:/# pinfo.py /mnt/turbinia/output/tmp/2a6eda8baeb74a5787e7fc58f244a934.plaso 

************************** Plaso Storage Information ***************************
            Filename : 2a6eda8baeb74a5787e7fc58f244a934.plaso
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
4aaf0e28-1ef6-4d50-9fa0-53114a29564b : 2023-10-04T00:32:49.530712+00:00
--------------------------------------------------------------------------------

******************************** Event sources *********************************
Total : 1605
--------------------------------------------------------------------------------

No events stored.

No events labels stored.

No warnings stored.

No analysis reports stored.
jleaniz commented 1 year ago

Closing - was not able to reproduce and output indicates no events.