.plaso reading date as the file creation date, rather than date of record

[CameronMTr]

I am not sure if we are doing something wrong on our side or if anyone else has experienced this. It seems that when plaso records are added, it is not taking the date field from the file, it is instead taking the date that the file was added to the sof-elk box.

The plaso files were generated in the prescribed manner: log2timeline.py -z UTC --parsers "win7,-filestat" /cases/capstone/base-rd01-triage-plaso.dump /mnt/windows_mount/base-rd01/ psort.py -z "UTC" -o L2tcsv base-rd01-triage-plaso.dump "date > '2018-08-23 00:00:00' AND date < '2018-09-07 00:00:00'" -w base-rd01-triage-plaso.csv

So far as I know none of the config files have been altered from the default.

[philhagen]

could you paste the first few lines of CSV you're attempting to load?

[CameronMTr]

Thank you for getting back to me. A sanitized sample of the CSV is as follows (the lined breaks are added for readability, they are not present in the original set):

date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra 04/12/2019,00:04:29,Egypt,M...,LOG,Sdummy Event,Content Modification Time,-,HostName,No logged on cached user during monitor task trying to select.,program No logged on cached user during monitor task trying to select.,2,D:/Windows/dummy/Logs/program.log,123456,-,sdummy,sha256_hash: 74c229ffsd7b473159406628fc98d35fd261c04dd0e86d81823753f98cnn0975

04/12/2019,00:14:29,Egypt,M...,LOG,Sdummy Event,Content Modification Time,-,HostName,No logged on cached user during monitor task trying to select.,program No logged on cached user during monitor task trying to select.,2,D:/Windows/dummy/Logs/program.log,123456,-,sdummy,sha256_hash: 74c229ffsd7b473159406628fc98d35fd261c04dd0e86d81823753f98cnn0975

04/12/2019,00:15:58,Egypt,M...,LOG,Sdummy Event,Content Modification Time,-,HostName,Current assigned management point is the only assigned management point.,loc Current assigned management point is the only assigned management point.,2,D:/Windows/dummy/Logs/filename.log,12345,-,sdummy,sha256_hash: 8c5267e7d2de726ajama7df2119f6eea648bbome5c6f6549acfc88a61646abbf

04/12/2019,00:23:24,Egypt,M...,LOG,Sdummy Event,Content Modification Time,-,HostName,Current assigned management point is the only assigned management point.,loc Current assigned management point is the only assigned management point.,2,D:/Windows/dummy/Logs/filename.log,12345,-,sdummy,sha256_hash: 8c5267e7d2de726ajama7df2119f6eea648bbome5c6f6549acfc88a61646abbf

04/12/2019,00:24:29,Egypt,M...,LOG,Sdummy Event,Content Modification Time,-,HostName,No logged on cached user during monitor task trying to select.,program No logged on cached user during monitor task trying to select.,2,D:/Windows/dummy/Logs/program.log,123456,-,sdummy,sha256_hash: 74c229ffsd7b473159406628fc98d35fd261c04dd0e86d81823753f98bbc0975

04/12/2019,00:34:29,Egypt,M...,LOG,Sdummy Event,Content Modification Time,-,HostName,No logged on cached user during monitor task trying to select.,program No logged on cached user during monitor task trying to select.,2,D:/Windows/dummy/Logs/program.log,123456,-,sdummy,sha256_hash: 74c229ffsd7b473159406628fc98d35fd261c04dd0e86d81823753f98cnn0975

04/12/2019,00:44:29,Egypt,M...,LOG,Sdummy Event,Content Modification Time,-,HostName,No logged on cached user during monitor task trying to select.,program No logged on cached user during monitor task trying to select.,2,D:/Windows/dummy/Logs/program.log,123456,-,sdummy,sha256_hash: 74c229ffsd7b473159406628fc98d35fd261c04dd0e86d81823753f98cnn0975

Thanks again

[philhagen]

ok this should be fixed on the public branch! the update process sometimes causes VMware to go bonkers, but a reboot on the VM should be enough if that happens. that said, this should be all fixed now!

[CameronMTr]

Yes! It is working perfectly now, thank you so much!

[philhagen]

awesome! thanks for the report and for your patience!