search

mandiant / macos-UnifiedLogs

Apache License 2.0
211 stars 17 forks source link

Specify Output File/Path #1

Open weslambert opened 2 years ago

weslambert commented 2 years ago

First of all, thanks for such an awesome tool! I really appreciate all of the effort that went into this project.

However, I was wondering if the option already existed (or could be easily added) for specifying an output file/path for the results from the Unified Log parser?

puffyCid commented 2 years ago

Sure something like this could be added to the example files.

I think adding/customizing output capabilities to the library would be bit tricky/out of scope since it would be open ended.

Instead I think ideally a program would import the library to parse the log data and then that program can decide how to output the data.

I can add the capability to specify an output file/path to the example binaries/files

I think that should address this issue.

Otherwise let me know if it doesnt, thanks

weslambert commented 2 years ago

Thanks! My use case is just that I need to be able to specify the output path/file in some way while running non-interactively, so I really don't even need the stdout/terminal output. Looking forward to it!

puffyCid commented 2 years ago

I just pushed an update to add output path support. I added a few additional tweaks to the example binaries as well. The RUNNING.md file has been updated to reflect that. The uploaded binaries in releases have been updated

./unifiedlog_parser -h
Starting Unified Log parser...
unifiedlog_parser 0.1.0

USAGE:
    unifiedlog_parser [OPTIONS] --output <OUTPUT>

OPTIONS:
    -h, --help               Print help information
    -i, --input <INPUT>      Path to logarchive formatted directory [default: ]
    -l, --live <LIVE>        Run on live system [default: false]
    -o, --output <OUTPUT>    Path to output file. Any directories must already exist
    -V, --version            Print version information

Example below shows run on live system and outputs single csv file to testbuild/ directory

./unifiedlog_parser -l true -o testbuild/output.csv
Starting Unified Log parser...
Parsing: /private/var/db/diagnostics/Persist/000000000000046b.tracev3
Parsing: /private/var/db/diagnostics/Persist/0000000000000462.tracev3
Parsing: /private/var/db/diagnostics/Persist/0000000000000454.tracev3
Parsing: /private/var/db/diagnostics/Persist/0000000000000444.tracev3

Will this work for ur use case?

weslambert commented 2 years ago

I think this will work -- I'll try it out and let you know how it goes. Thanks for your help!