Issue with log2timeline with MacOS artifact-filters

[pm]

Hi

I am unable to get any of the artifact_filters working with MacOS X. Below is the command that ia m running

$log2timeline.py  --artifact_definitions /usr/local/share/artifacts/ --artifact_filters MacOSInstallationLogFile  image.plaso Image.dd

However, log2timeline to gather for the entire image but not for specific artifact as above

$log2timeline.py  --artifact_definitions /usr/local/share/artifacts/   image.plaso Image.dd

Have not attempted to test the artifact filters on a Windows Image yet. 

As specified in the blog that Plaso only supports filtering files, is it only for Windows related Files currently? 

"Specific guidance on how to write new artifacts is available in the project’s wiki. One important note - Plaso only supports filtering files and the Windows Registry keys at present. Artifacts with the COMMAND and WMI source types aren’t supported"

-http://blog.kiddaland.net/ 

Regards,

pm 

[Joachim Metz]

pm, what is the error message that you get?

What is the output you are getting?
What is the output you are expecting?

> --
> You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
> To post to this group, send email to log2timeli...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Pratik Mehta]

Hi,

The output is as below and no error spotted. The image.plaso file does not have any data apart from the sqlite related and basic data. The expected output would be the installation history of mac os x usually it has base system cache installation time and any upgrades over time to the OS.

LogFile output:

2018-07-18 10:40:06,840 [INFO] (MainProcess) PID:20907 <engine> Preprocessing detected operating systems: MacOS

2018-07-18 10:40:06,841 [INFO] (MainProcess) PID:20907 <extraction_tool> Parser filter expression changed to: macos

2018-07-18 10:40:14,568 [INFO] (MainProcess) PID:20907 <zeromq_queue> Queue main_task_queue responder exiting.

Status view Window Output :

Source path     : /root/Image.dd

Source type     : storage media image

Artifact filters        : [u'MacOSInstallationLogFile']

Processing time : 00:00:02

Tasks:          Queued  Processing      Merging         Abandoned       Total

                0       0               0               0               0

Identifier      PID     Status          Memory          Sources         Events          File

Main            20907   completed       351.6 MiB       0 (0)           0 (0)

Worker_00       20914   idle            264.3 MiB       0 (0)           0 (0)

Worker_01       20916   idle            264.3 MiB       0 (0)           0 (0)

Worker_02       20920   initialized     263.4 MiB       0 (0)           0 (0)

Processing completed.

Regards,

PM

--

Pratik Mehta

[Joachim Metz]

The artifact names filter what paths will be processed

Depending on the available parsers the contents of the file with be parsed
I don't see a MacOS installation log file parser in this
(https://github.com/log2timeline/plaso/wiki) list.

I'm not sure why there are no file system events, something that needs
a closer look.

[Pratik Mehta]

Ok, thanks. 

--

Pratik Mehta