philhagen
commented
1 year ago Could you paste the first 10-20 rows of CSV that you generated (including any headers)?
Closed Walishaha closed 1 year ago
philhagen
commented
1 year ago Could you paste the first 10-20 rows of CSV that you generated (including any headers)?
Walishaha
commented
1 year ago Hi @philhagen Thank you for your response. I just double-checked it. There was an issue with my CSV file column names. I was able to trace it using the config file for plaso. it is fixed now.
filter { if [type] == "plaso" { csv { separator => "," quote_char => "ª" # workaround: don't use a quote character as " gives issues if the field contains a " columns => ["date","time","timezone","macb","datasource","datasourcetype","eventtype","user","host","short","desc","version","filename","inode","notes","format","extra"]
philhagen
commented
1 year ago Great to hear it was an easy fix and you're up and running!
Hello,
I generated a super timeline CSV as per the steps mentioned here (https://github.com/philhagen/sof-elk/blob/main/doc/log2timeline-plaso.md). When I dropped the csv in to the logstash/plaso directory, it loaded all the timeline rows, but the problem is I can see the timestamps in every row been the time I process the triage image with plaso and not the actual timeline event.
I hope I was able to explain the issue. Can someone please help if I did something wrong.
Thanks