rgayon
commented
2 years ago Trying to escape that character seems to get the parsers filter parser confused:
# log2timeline.py --parsers "sqlite,\!sqlite/chrome_history" /tmp/test
2022-09-28 14:19:01,273 [INFO] (MainProcess) PID:48204 <data_location> Determined data location: /usr/share/plaso
2022-09-28 14:19:01,289 [INFO] (MainProcess) PID:48204 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
Checking availability and versions of dependencies.
[OK]
Source path : /tmp/test
Source type : single file
Processing time : 00:00:00
Processing started.
Unknown parser or plugin names in element(s): "/!sqlite/chrome_history" of parser filter expression: /!sqlite/chrome_history,sqlite# log2timeline.py --parsers "sqlite,\\!sqlite/chrome_history" /tmp/test
2022-09-28 14:19:10,136 [INFO] (MainProcess) PID:48210 <data_location> Determined data location: /usr/share/plaso
2022-09-28 14:19:10,150 [INFO] (MainProcess) PID:48210 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
Checking availability and versions of dependencies.
[OK]
Source path : /tmp/test
Source type : single file
Processing time : 00:00:00
Processing started.
Unknown parser or plugin names in element(s): "/!sqlite/chrome_history" of parser filter expression: /!sqlite/chrome_history,sqlite
joachimmetz
Description of problem:
Running log2timeline with parameters taken from the --help message won't work, as ! is a reserved character in a man shells.
Consider using
-or~insteadPlaso version:
Operating system Plaso is running on:
20.04.2-Ubuntu x86_64
Installation method:
If multiple methods were used please indicate.
Debug output/tracebacks: