Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to use log2timeline in Docker

See original GitHub issue

Description of problem:

Unable to find evidence present in the folder on the host (mapped folder)

Command line and arguments:

docker run -v ~/data:/data log2timeline/plaso log2timeline --storage-file evidences.plaso data/evidences -d

Source data:

https://docs.google.com/document/d/1XM4Gfdojt8fCn_9B8JKk9bcUTXZc0_hzWRUH4mEr7dw/

Plaso version:

20220724

Operating system Plaso is running on:

20.04.4 LTS (Focal Fossa)

Installation method:

docker pull log2timeline/plaso

Debug output/tracebacks:

2022-08-17 13:49:56,030 [INFO] (MainProcess) PID:7 <data_location> Determined data location: /usr/share/plaso
2022-08-17 13:49:56,040 [INFO] (MainProcess) PID:7 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
Checking availability and versions of dependencies.
[OK]

No such device, file or directory: /home/plaso/data/evidences

Issue Analytics

State:
Created a year ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

joachimmetzcommented, Aug 17, 2022

looks like you’re pointing log2timeline at data/evidences (which is /home/plaso/data/evidences inside the container) not at the actual mapped volume /data. Try something like:

docker run -v ~/data:/data log2timeline/plaso log2timeline --storage-file /data/evidences.plaso /data/evidences -d

as indicated here: https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html

0reactions

splunk-user1commented, Aug 17, 2022

Nm @joachimmetz. This document was a good pointer https://docs.docker.com/storage/volumes/

Fixed broken mapping 😃 Thank you again

Top Results From Across the Web

Plaso in a Docker container - Read the Docs

Use “log2timeline/plaso” if you've just made the image from Docker Hub. First, export the image: $ docker save <CONTAINER_NAME> | gzip -c ...

log2timeline/plaso - Docker Image

log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. The initial purpose...

plaso/Dockerfile at main · log2timeline/plaso - GitHub

plaso/config/docker/Dockerfile · Go to file T · Go to line L · Copy path · Copy permalink.

Containerize Your IR Timelining - Accenture

Accenture explains how Incident Response timelining made easy using Docker Plaso to process artifacts from a large list of source types.

Getting Started with Plaso and Log2Timeline - YouTube

In this episode, we'll take an in-depth look at how to install and use Plaso/ Log2Timeline to create a super timeline of events...