Closed GoogleCodeExporter closed 9 years ago
A comment: it looks like both the logs of the investigated host and the logs
of my computer were parsed
Original comment by antoine....@gmail.com
on 24 May 2012 at 6:09
The hostname is read from the file itself, it should not be your computer name,
but the name extracted from that file.
What was the filename in question, was the filename from your own C drive?
Original comment by ki...@kiddaland.net
on 24 May 2012 at 6:18
I think I understand the problem:
"F:\Users\All Users" is a link to "C:\ProgramData"
the filenames I see in the timeline are:
C:F:\ProgramData\Symantec\Symantec Endpoint Protection\Logs\XXX.log
-> for these I have the right computer and user
C:F:\Users\All Users\Symantec\Symantec Endpoint Protection\Logs\XXX.log
-> for these I have my name and the name of mycomputer
Original comment by antoine....@gmail.com
on 24 May 2012 at 6:57
;)
then I guess the problem is solved ;)
Original comment by ki...@kiddaland.net
on 24 May 2012 at 7:06
Well, I don't know if it is solved. Why does it follow symlinks outside the
drive?
Original comment by antoine....@gmail.com
on 24 May 2012 at 7:14
It looks like "-l" doesn't work to detect symbolic links for perl on Windows.
Here is something that may work:
require Win32::API;
use strict;
use warnings;
my $GetFileAttributes = new Win32::API('kernel32', 'GetFileAttributes', 'P',
'N');
foreach my $file ('C:\Users\All Users', 'C:\ProgramData') {
if ($GetFileAttributes->Call($file) & 0x400) #FILE_ATTRIBUTE_REPARSE_POINT
{
print "$file is a reparse point\n";
}
else
{
print "$file is not a reparse point\n"
}
}
->
C:\Users\All Users is a reparse point
C:\ProgramData is not a reparse point
Original comment by antoine....@gmail.com
on 24 May 2012 at 8:36
Sorry, that is true, the tool should not follow symlinks, and I did not know
that "-l" was not successful in Windows....
I'm re-opening this one, and putting in a fix.
Original comment by ki...@kiddaland.net
on 25 May 2012 at 4:18
Sorry, that is true, the tool should not follow symlinks, and I did not know
that "-l" was not successful in Windows....
I'm re-opening this one, and putting in a fix.
Original comment by ki...@kiddaland.net
on 25 May 2012 at 4:18
Submitted a patch to the project:
http://code.google.com/p/log2timeline/source/detail?r=17fab94cac5968221ef460265e
2b9fd4a330d508
Could you update the tool to the latest snapshot and test if this works
successfully for you?
Original comment by ki...@kiddaland.net
on 25 May 2012 at 4:38
This looks good now, thanks for the quick fix!
Original comment by antoine....@gmail.com
on 25 May 2012 at 12:40
Original issue reported on code.google.com by
antoine....@gmail.com
on 24 May 2012 at 5:52