[Bug]: Plaso check for events broken

Question

[Bug]: Plaso check for events broken

aarontp opened this issue 7 months ago · comments

Aaron Peterson commented 7 months ago

What steps will reproduce the bug?

Run Plaso task on GoogleCloudDisk.

What is the expected behavior?

Plaso timeline output

What do you see instead?

Plaso result was not returned because it says that no results were found.

$ turbinia-client status task 2a6eda8baeb74a5787e7fc58f244a934
2023-10-07 13:26:49,108 INFO turbinia - Using configuration instance name -> default with host http://localhost:8000
## PlasoParserTask (MEDIUM PRIORITY)
* **Evidence:** GoogleCloudDisk
* **Status:** Completed successfully in 0:00:22.464938 on osdfir-release-turbinia-worker-869ccbdbdf-bjnjn. Not adding evidence /mnt/turbiniavolume/output/f3bbc4d90c2a4e7792ccdc90dcb3bac3/1696379566-2a6eda8baeb74a5787e7fc58f244a934-PlasoParserTask/2a6eda8baeb74a5787e7fc58f244a934.plaso. Evidence validation failed with error: PlasoFile validation failed, pinfo.py found no events.
* Task Id: 2a6eda8baeb74a5787e7fc58f244a934
* Executed on worker osdfir-release-turbinia-worker-869ccbdbdf-bjnjn

Looking at the pinfo.py output there are actually results in the file though:

root@7bc7206d51e3:/# pinfo.py /mnt/turbinia/output/tmp/2a6eda8baeb74a5787e7fc58f244a934.plaso 

************************** Plaso Storage Information ***************************
            Filename : 2a6eda8baeb74a5787e7fc58f244a934.plaso
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
4aaf0e28-1ef6-4d50-9fa0-53114a29564b : 2023-10-04T00:32:49.530712+00:00
--------------------------------------------------------------------------------

******************************** Event sources *********************************
Total : 1605
--------------------------------------------------------------------------------

No events stored.

No events labels stored.

No warnings stored.

No analysis reports stored.

Additional information

No response

Aaron Peterson · Answer 1 · Sun Oct 08 2023 04:31:21 GMT+0800 (China Standard Time)

FYI @jleaniz

Aaron Peterson · Answer 2 · Sun Oct 08 2023 04:34:13 GMT+0800 (China Standard Time)

Some Plaso tasks from this processing request successfully returned results though.

Juan Leaniz · Answer 3 · Mon Oct 09 2023 21:35:15 GMT+0800 (China Standard Time)

Reading the output you posted, it looks like it has no events? It says "No events stored". IIRC, the event sources total is a different thing.

root@7bc7206d51e3:/# pinfo.py /mnt/turbinia/output/tmp/2a6eda8baeb74a5787e7fc58f244a934.plaso 

************************** Plaso Storage Information ***************************
            Filename : 2a6eda8baeb74a5787e7fc58f244a934.plaso
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
4aaf0e28-1ef6-4d50-9fa0-53114a29564b : 2023-10-04T00:32:49.530712+00:00
--------------------------------------------------------------------------------

******************************** Event sources *********************************
Total : 1605
--------------------------------------------------------------------------------

No events stored.

No events labels stored.

No warnings stored.

No analysis reports stored.

Juan Leaniz · Answer 4 · Thu Oct 26 2023 22:02:53 GMT+0800 (China Standard Time)

Closing - was not able to reproduce and output indicates no events.