Draft: implemented text parser plugin for Apple ps.txt files.

log2timeline / plaso

Super timeline all the things

https://plaso.readthedocs.io

Apache License 2.0

1.66k stars 327 forks source link

Draft: implemented text parser plugin for Apple ps.txt files. #4861

Open rick-slin opened 3 months ago

rick-slin commented 3 months ago

Description:

DRAFT: Implemented a text parser plugin for Apple ps.txt files found in sysdiagnose dumps. It uses the DatelessLogHelper

Related issue (if applicable): fixes4697

Notes:

All contributions to Plaso undergo code review. This makes sure that the code has appropriate test coverage and conforms to the Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in order, and then a maintainer will review your code.

Checklist:

[ ] Automated checks (GitHub Actions, AppVeyor) pass
[x] No new new dependencies are required or l2tdevtools has been updated
[x] Reviewer assigned

joachimmetz commented 3 months ago

@rick-slin I will give this format some more thought, it does not fully match the use-case of the date-less log helper as with syslog where the log entries are (mostly) chronological.

Some hints (not the same) to the format based on Linux man ps

       bsdstart    START     time the command started.  If the process was started less than 24 hours ago, the output format is " HH:MM", else it is " Mmm:SS" (where Mmm is the three letters of the month).  See also lstart, start, start_time, and stime.

       bsdtime     TIME      accumulated cpu time, user + system.  The display format is usually "MMM:SS", but can be shifted to the right if the process used more than 999 minutes of cpu time.

Would be good to have an example of a process that has more than 999 minutes of cpu time

rick-slin commented 2 months ago

I don't understand the significance of the entries not being chronological. I can see the usefulness of moving the handling of the three cases from the plugin to the helper.

I can try to setup an experiment for a long lived process but I don't see how that field would impact the start time column as they appear to be independent.

joachimmetz commented 2 months ago

I can try to setup an experiment for a long lived process but I don't see how that field would impact the start time column as they appear to be independent.

this would be more to see if there is an edge case for the format of the TIME value

I don't understand the significance of the entries not being chronological.

This is related to the inner workings of the date-less log helper