search

orlikoski / CDQR

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
GNU General Public License v3.0
334 stars 50 forks source link

CDQR Parsing when Timesketch Elastic Search Not running #21

Closed chunderstruck closed 6 years ago

chunderstruck commented 6 years ago

I've been running into problems where CDQR.py is throwing errors when timesketch is not running.

@chunderStruck will look into this issue and submit a pull request. 

Removing uncompressed files in directory: Results/artifacts/

Process to export to ElasticSearch started
Exporting results in TimeSketch format to the ElasticSearch server
"psort.py" "-o" "timesketch" "--status_view" "linear" "--name" "bumblebee" "--index" "bumblebee" "Results/BUMBLEBEE.plaso"
ERROR: There was a problem. See details in log.
orlikoski commented 6 years ago

That is interesting. Are you sure it's not due to elasticsearch not running?

On Fri, Apr 13, 2018, 8:13 AM Daniel Chun notifications@github.com wrote:

I've been running into problems where CDQR.py is throwing errors when timesketch is not running.

@chunderstruck https://github.com/chunderstruck will look into this issue and submit a pull request.

Removing uncompressed files in directory: Results/artifacts/

Process to export to ElasticSearch started Exporting results in TimeSketch format to the ElasticSearch server "psort.py" "-o" "timesketch" "--status_view" "linear" "--name" "bumblebee" "--index" "bumblebee" "Results/BUMBLEBEE.plaso" ERROR: There was a problem. See details in log.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/orlikoski/CDQR/issues/21, or mute the thread https://github.com/notifications/unsubscribe-auth/AI9CHEJ6aLov-q2g-6AQ8XJDJ9vNcybaks5toKR1gaJpZM4TTbXE .

chunderstruck commented 6 years ago

Either Elastic or Timesketch wasn't working, it was resolved when I restarted timesketch.

I've run into this issue a couple times when testing new builds...

orlikoski commented 6 years ago

I wonder what is causing ElasticSearch to not start up intermittently. If the RAM in Skadi is too low (less than 8GB) I know there is a chance for that to happen.

It's easy to tell if that's the issue. sudo systemctl status elasticsearch should have a message with a memory error/warning if that's the case

orlikoski commented 6 years ago

This doesn't appear to be an issue with the latest version. Closing