Enable HTTP uploading + Graphs in Timesketch

[ecapuano]

I noticed that Skadi has the proper dependencies for these features (Celery, Neo4j, etc), but the features are not enabled in the OVF's /etc/timesketch.conf.

Might be a good reason for it, but otherwise, could these be enabled by default in the OVF?

[orlikoski]

Those were enabled by default in prior releases and, as you mentioned, they are still configured with all dependencies installed yet disabled by default now.

The reason is that I've found both of them to be unreliable and require extra effort to make work each time, every time (often updates to TimeSketch can break things that previously worked). One of the key foundations for Skadi is that everything "just works" and since these features don't, they're disabled by default now.

That said, all the dependencies are there for those who have the skill and time to turn them on and troubleshoot them. If someone does figure out how to make them work reliably then please let me know and those features can be enabled by default again.

The uploading can be done through SCP and or CyLR and the processing with insertion into the ELK stack can be done by CDQR so the function of the uploading is in Skadi.

Example from existing Plaso file to TimeSketch format in ElasticSearch:

cdqr.py --plaso_db myfile.plaso --es_ts mycase

[ecapuano]

Too true! I'll side with you completely on that... One of the reasons I was so excited to find this project is due to the headaches I've had doing that exact thing with each new build.

I prefer the "just works" nature of Skadi over the additional features.... If I can find some time to get it working, I'll reopen the convo.

Thanks again.