How do generate output with the tools?

[glmkyt818]

Description of problem:

unable to get the output after running log2timeline

Command line and arguments:

**psort -o l2tcsv test2.dump "date >= '2022-02-22 00:00:00' AND date <= '2022-02-24 00:00:00'" -w test3.csv**

**plaso - log2timeline version 20190331**

**E:\>pinfo test2.plaso**

************************** Plaso Storage Information ***************************
            Filename : test2.plaso
      Format version : 20180101
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
19c121ed-c81e-4634-a31a-a2849bbd1c0c : 2022-04-18T22:05:32.677000+00:00
--------------------------------------------------------------------------------

**************** Session: 19c121ed-c81e-4634-a31a-a2849bbd1c0c *****************
                Start time : 2022-04-18T22:05:32.677000+00:00
           Completion time : 2022-04-18T22:19:48.918000+00:00
              Product name : plaso
           Product version : 20190331
    Command line arguments : log2timeline -f filter_windows.txt test2.plaso
                             TEST-2.001
  Parser filter expression : win7
Enabled parser and plugins : amcache, bencode, bencode/bencode_transmission,
                             bencode/bencode_utorrent, binary_cookies,
                             chrome_cache, chrome_preferences,
                             custom_destinations, czip, czip/oxml, esedb,
                             esedb/file_history, esedb/msie_webcache,
                             esedb/srum, filestat, firefox_cache,
                             gdrive_synclog, java_idx, lnk, mcafee_protection,
                             msiecf, olecf, olecf/olecf_automatic_destinations,
                             olecf/olecf_default, olecf/olecf_document_summary,
                             olecf/olecf_summary, opera_global,
                             opera_typed_history, pe, plist, plist/airport,
                             plist/apple_id, plist/ipod_device,
                             plist/macosx_bluetooth,
                             plist/macosx_install_history, plist/macuser,
                             plist/maxos_software_update, plist/plist_default,
                             plist/safari_history, plist/spotlight,
                             plist/spotlight_volume, plist/time_machine,
                             prefetch, recycle_bin, sccm, skydrive_log,
                             skydrive_log_old, sqlite, sqlite/android_calls,
                             sqlite/android_sms, sqlite/android_webview,
                             sqlite/android_webviewcache, sqlite/appusage,
                             sqlite/chrome_27_history, sqlite/chrome_8_history,
                             sqlite/chrome_autofill, sqlite/chrome_cookies,
                             sqlite/chrome_extension_activity,
                             sqlite/firefox_cookies, sqlite/firefox_downloads,
                             sqlite/firefox_history, sqlite/google_drive,
                             sqlite/hangouts_messages, sqlite/imessage,
                             sqlite/kik_messenger, sqlite/kodi,
                             sqlite/ls_quarantine,
                             sqlite/mac_document_versions,
                             sqlite/mac_notificationcenter,
                             sqlite/mackeeper_cache, sqlite/safari_history,
                             sqlite/skype, sqlite/tango_android_profile,
                             sqlite/tango_android_tc, sqlite/twitter_android,
                             sqlite/twitter_ios, sqlite/windows_timeline,
                             sqlite/zeitgeist, symantec_scanlog, usnjrnl,
                             winevtx, winfirewall, winjob, winreg,
                             winreg/appcompatcache, winreg/bagmru,
                             winreg/ccleaner, winreg/explorer_mountpoints2,
                             winreg/explorer_programscache,
                             winreg/microsoft_office_mru,
                             winreg/microsoft_outlook_mru,
                             winreg/mrulist_shell_item_list,
                             winreg/mrulist_string,
                             winreg/mrulistex_shell_item_list,
                             winreg/mrulistex_string,
                             winreg/mrulistex_string_and_shell_item,
                             winreg/mrulistex_string_and_shell_item_list,
                             winreg/msie_zone, winreg/mstsc_rdp,
                             winreg/mstsc_rdp_mru, winreg/network_drives,
                             winreg/networks, winreg/userassist,
                             winreg/windows_boot_execute,
                             winreg/windows_boot_verify, winreg/windows_run,
                             winreg/windows_sam_users, winreg/windows_services,
                             winreg/windows_shutdown,
                             winreg/windows_task_cache,
                             winreg/windows_timezone,
                             winreg/windows_typed_urls,
                             winreg/windows_usb_devices,
                             winreg/windows_usbstor_devices,
                             winreg/windows_version, winreg/winlogon,
                             winreg/winrar_mru, winreg/winreg_default
        Preferred encoding : cp1252
                Debug mode : False
          Artifact filters : N/A
               Filter file : filter_windows.txt
--------------------------------------------------------------------------------
No errors stored.

No analysis reports stored.

**psort -o l2tcsv test2.plaso "date >= '2022-02-22 00:00:00' AND date <= '2022-02-24 00:00:00'" -w test3.csv
2022-04-18 22:43:13,790 [INFO] (MainProcess) PID:8440 <data_location> Determined data location: C:\FORENS~1\plaso\data
plaso - psort version 20190331**

Storage file            : test2.plaso
Processing time         : 00:00:00

Events:         Total
                0

Identifier              PID     Status          Memory          Events          Tags            Reports
Main                    8440    idle            0 B             0 (0)           0 (0)           0 (0)

Processing completed.

******************************** Export results ********************************
       Events filtered : 0
Events from time slice : 0
      Events processed : 0
--------------------------------------------------------------------------------

Source data:

Please provide the source data you used when you experienced the problem. For publicly available data please provide a URL or path of the source data.

Plaso version:

plaso - log2timeline version 20190331

Operating system Plaso is running on: runing on windows

[jleaniz]

Hi @glmkyt818, thank you for reporting the issue.

Would you mind trying to run a recent version of log2timeline and psort? It looks like you're running a version that's about 3 years old (plaso - log2timeline version 20190331). If you still have issues generating a timeline from a plaso file with the latest plaso version, please feel free to provide the pinfo output again.

Out of curiosity, have you tried to run psort without a date filter? Does it generate an output? Is it possible the source file does not contain events within the specified timeframe? What's the size of the test2.plaso file?

Thanks.

[joachimmetz]

Also what is the file you are generating is that test2.plaso or test2.dump ?

[joachimmetz]

No response from original reporter, closing issue