-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DRAFT: MEGAsync parser #4192
base: main
Are you sure you want to change the base?
DRAFT: MEGAsync parser #4192
Conversation
parser_mediator (ParserMediator): mediates interactions between parsers | ||
and other components, such as storage and dfvfs. | ||
month (int): month observed by the parser, where January is 1. | ||
""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MEGASync compresses rotated-out log files using the gzip format. the mtime
timestamp in the gzip stream, however, is empty
making this approach not work. (and currently I just set the estimate to the current year in case of epoch timestamps)
I'm struggling a bit to find a good way to estimate the year of the log file in plaso, other than relying on --preferred-year
.
I've considered some things like accessing the timestamps of the compressed file itself (should be accurate except for some edge cases, but also don't see that the APIs would allow for this currently).
|
||
log_message = self._GetValueFromStructure(structure, 'message') | ||
|
||
for line in self._LINES_OF_INTEREST: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MEGASync logs are very verbose, so I currently only produce events for log lines that may be of forensic interest. If it's more desirable to produce events for every log entry, I can change this, but I recommend checking out the sample test file for context. (also here if the diff viewer wont show it)
Note that in an environment where MEGAsync ran for more than a few minutes, you will likely have 50 of those log files, totaling some ~4 million lines.
Would need to dig into this first to give you useful advice. Will try to get back to you as soon as time permits. |
One line description of pull request
Implements a parser for MEGAsync logs
Description:
Related issue (if applicable): fixes #4185
Notes:
All contributions to Plaso undergo code
review. This makes sure
that the code has appropriate test coverage and conforms to the Plaso style
guide.
One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.
Checklist: