How to import large Plaso file into Timesketch in Docker
Sometimes Timesketch, being run in Docker, hiccups when importing a Plaso file too large, like in the issue #1060. You can still upload the file using this shell script:
#!/bin/sh
#
# Run this script with timesketch_import_plaso.sh plaso_file [timesketch_container]
if [ $# -eq 0 ]
then
echo Run this script with $0 plaso_file [timesketch_container]
exit 1
fi
DOCKER_PATH="/tmp/`basename $1`"
TIMELINE="`echo $1 | sed -e 's/\.[^.]*$//'`"
CONTAINER=docker_timesketch_1
if [ ! -z "$2" ]
then
CONTAINER=$2
fi
docker cp "$1" "$CONTAINER:/tmp"
docker exec -it "$CONTAINER" psort.py -o timesketch --name "$TIMELINE" "$DOCKER_PATH"
docker exec -it "$CONTAINER" rm "$DOCKER_PATH"
comments powered by Disqus