Unable to read artifact definitions (MacOS)

[andrewpritchett]

Description of problem:

"ERROR: Unable to read artifact definitions from: /usr/local/share/artifacts with error: At start Artifact definition: DockerContainerLogs found undefined labels: Docker."

Command line and arguments:

$ log2timeline.sh --no-dependencies-check --parsers "winevtx" ./plaso.dump ./Logs/ $ log2timeline.sh --parsers "winevtx" ./plaso.dump ./Logs/ $ log2timeline.py --parsers "winevtx" ./plaso.dump ./Logs/

Plaso version:

I had plaso-20180930-macos-10.13.dmg installed. It was working a couple weeks ago before I upgraded to Mojave. I used the ./uninstall.sh script and uninstalled. I installed, plaso-20180818-macos-10.13.dmg using the install script, received the same error. I then uninstalled using the uninstall script and reinstalled 20180930. I am still receiving the same error.

Operating system Plaso is running on:

MacOS vs 10.14 (18A391)

Installation method:

For example:

• installed from https://github.com/log2timeline/plaso/releases/plaso-20180930-macos-10.13.dmg and used the ./install.sh

If multiple methods were used please indicate.

Debug output/tracebacks:

Please run the tool with "-d" to generate debug output, and include anything relevant. Also see: [Producing debug logs][https://plaso.readthedocs.io/en/latest/sources/user/Troubleshooting.html#producing-debug-logs]

For more information see the [troubleshooting guide][https://plaso.readthedocs.io/en/latest/sources/user/Troubleshooting.html].

[joachimmetz]

This looks like a similar issue to https://github.com/log2timeline/plaso/issues/2170. We are working on a new release soon https://github.com/log2timeline/plaso/issues/2254, which should fix this issue for the macos package. In the mean time you could try and install the latest version of the artifacts module from https://github.com/log2timeline/l2tbinaries/tree/dev/macos

[Onager]

This must have a different cause that #2170 as the MacOS installer doesn't copy any artifact definition files. It's possible that there was something wrong with the artifacts package in plaso-20180930-macos-10.13.dmg, but strange that it worked for @andrewpritchett before. Either way, there should be a new release in the next day or so.

[Onager]

Tried to replicate this, and the uninstall script didn't seem to correctly remove the yaml files, which could contribute to this issue.

[joachimmetz]

I've created https://github.com/log2timeline/plaso/issues/2273 to address the uninstall script issue. Closing this issue seeing the new artifacts package seems to work as intended. @andrewpritchett let us know if the new release of plaso does the job for you. reopen this issue if now.

[andrewpritchett]

I used the 20180930 uninstall.sh script to uninstall version 20180930. I then used the install.sh script to install 20181219. I did not receive any error during install or uninstall. I am still getting errors.

This is the command I ran: $ log2timeline.sh --parsers "winevtx" ./plaso.dump ./Logs/

Here is the error: 2018-12-21 08:11:55,502 [INFO] (MainProcess) PID:11748 Determined data location: /Library/Python/2.7/site-packages 2018-12-21 08:11:55,502 [INFO] (MainProcess) PID:11748 Determined artifact definitions path: /usr/local/share/artifacts ERROR: Unable to read artifact definitions from: /usr/local/share/artifacts with error: At start Artifact definition: DockerContainerConfig found undefined labels: Docker.

Thank you!

[joachimmetz]

@andrewpritchett Could you send us the output of artifacts.__version__ and artifacts.__file__ as in the example below:

python
Python 2.7.10 (default, Oct  6 2017, 22:29:07) 
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import artifacts
>>> artifacts.__version__
'20181213'
>>> artifacts.__file__
'/Library/Python/2.7/site-packages/artifacts/__init__.pyc'
>>> exit()

[andrewpritchett]

@joachimmetz Thanks for the continued help!

Here is my output:

artifacts.version '20170909' artifacts.file '/Library/Python/2.7/site-packages/artifacts-20170909-py2.7.egg/artifacts/init.pyc' exit()

[joachimmetz]

@andrewpritchett it looks like the update of artifacts failed on your system. Also based on .egg was this installed via pip? Can you remove the artifacts library entirely and then reinstall from the plaso provided (or l2tbinaries) version

[Onager]

Ping for @andrewpritchett

[andrewpritchett]

Yes, I will give this a try. Thank you.

[joachimmetz]

Closing this issue, seeing this looks like an installation specific issue. Reopen if there is data to suggest otherwise.