Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timesketch Import Fail #14

Open
gru3zi opened this issue Jan 4, 2024 · 4 comments
Open

Timesketch Import Fail #14

gru3zi opened this issue Jan 4, 2024 · 4 comments
Assignees
@blueteam0ps
Labels
investigating

Comments

@gru3zi
Copy link

gru3zi commented Jan 4, 2024
edited
Loading

Hello and happy new year!

I seem to be having some issues with getting the import working for timesketch.

2024-01-04_09-13

Some background of my configuration

System: Proxmox
OS: Ubuntu 20.04.06
Node-red: Setup via npm (bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered). I tried the standard npm install but there were quite a few errors....
I also tried the docker version but couldnt work out how to give the Node-Red account access to the cases folder.
TimeSketch / Log2Timeline: Installed via the recommended tsplaso_docker_install.sh script
For the script there was an error for open search so I had to remove the following items.
image

These are the changes I made in Node Red

Triage Artefact Processor Flow

For the process variable should I leave it as localhost or put the IP that I use to access timesketch?
Also the kape output actually has the logs in /C/Windows/System32/winevt/logs. I see from slack it says its successful so I didnt amend the path.
image

For log2timeline I was not sure from the documentation what to change so I left it as is.
image

image

Hayabusa Process Flow

For Hayabusa I tried the latest version which now uses a wizard prior to starting and thought that might interfere with it starting so I downgraded and used the 2.5.1 version

image

Slack Notifications Flow

Slack notification is configured and works fine.

Thank you for your time and help!

Warm regards,

Marc
@blueteam0ps blueteam0ps self-assigned this Jan 5, 2024
@maxdal89
Copy link

maxdal89 commented Jan 9, 2024

Try with rm ~/.timesketchrc ~/.timesketch.token

@gru3zi
Copy link
Author

gru3zi commented Jan 9, 2024

Still fails unfortunately...

@pentestoles
Copy link

pentestoles commented Jan 30, 2024
edited
Loading

Does the manual upload via the WebUI also fail? If it doesnt it must be a problem with the API.... i think. Im quite new to this.

Update 1: It looks like as if the login by the timesketch_importer fails. The Code seems to expect data in JSON but is most likely getting HTML-Content with denied permission from timesketch-web. Are the credentials all in line?

Update2: I have encountered the same error when uploading my plaso-timeline. I was using the timesketch container(by digest): sha256:6ebfd0b9318a1a6b46e8b5b37745fef2bc8ee11fa5ae1f5977827de69d47bacc.
After i upgraded my timesketch to the latest(sha256:a1c8faf408620eb21a37d9e810af792bbb31786df68e1aa099b6d34e71870d41), the upload was successfull!

@blueteam0ps
Copy link
Owner

Sorry for the delay. I am working an update of the workflow project. In the meantime please checkout if this gets resolved with the latest version of Timesketch and timesketch importer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blueteam0ps blueteam0ps

Labels
investigating
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blueteam0ps @gru3zi @maxdal89 @pentestoles