-
Notifications
You must be signed in to change notification settings - Fork 576
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Timesketch_importer duplicates jsonl events (imports twice) #2796
Comments
Same issue as #2334 |
@boingomw I see that you have 2 imports reported. This indicates that you ran the importer twice with the same timeline name. That will put the events in the same timeline. Can you confirm that this isn't the case? I can't reproduce this issue on my end. |
I did run it twice. once for the .json file and once for the .plaso file. The issue is that the files both had the same amount of lines in them, but when I imported the json file, it ended up having 2x the number of events. so when you do the process above you end up with 7k for the .json and 7k for the .plaso file? |
I can confirm here that timesketch_importer is also creating doubled sources for JSONL imports, doubling the events on searches. The same does not apply to web imports, that seems to import correctly.
If you need a sample jsonl, I can supply. Regards, |
I just tried it with {"message": "A message","timestamp": 123456789,"datetime": "2015-07-24T19:01:01+00:00","timestamp_desc": "Write time","extra_field_1": "foo"}
{"message": "Another message","timestamp": 123456790,"datetime": "2015-07-24T19:01:02+00:00","timestamp_desc": "Write time","extra_field_1": "bar"}
{"message": "Yet more messages","timestamp": 123456791,"datetime": "2015-07-24T19:01:03+00:00","timestamp_desc": "Write time","extra_field_1": "baz"}
{"message": "Install: zmap:amd64 (1.1.0-1) [Commandline: apt-get install zmap]","timestamp": 123456791,"datetime": "2015-07-24T19:01:03+00:00","timestamp_desc": "foo","command":"Commandline: apt-get install zmap","data_type":"apt:history:line","display_name":"GZIP:/var/log/apt/history.log.1.gz","filename":"/var/log/apt/history.log.1.gz","packages":"Install: zmap:amd64 (1.1.0-1)","parser":"apt_history"}
{"message": "[11 / 0x000b] Source Name: Microsoft-Windows-Sysmon Strings: ['DLL', '2022-01-22 23:07:43.492', '{C784477D-8DE8-61EC-AAAA-000000003C00}', '7812', 'C:\\Windows\\tifubjdl\\lysjbpb.exe', 'C:\\Windows\\itfnduuui\\Corporate\\mimilib.dll', '2022-01-22 23:07:43.492'] Computer Name: DESKTOP-B0TAAAA Record Number: 913 Event Level: 4","computer_name":"DESKTOP-B0TAAAA","data_type":"windows:evtx:record","datetime":"2022-01-22T23:07:43.502205+00:00","display_name":"OS:/data/input/Microsoft-Windows-Sysmon%4Operational.evtx","event_identifier":"11","event_level":"4","message_identifier":"11","parser":"winevtx","source_name":"Microsoft-Windows-Sysmon","timestamp":"1642892863502205","timestamp_desc":"Creation Time" } |
Maybe it's volume related and 5 isn't enough lines to trigger |
@jaegeral , try this. password: sample123 Regards |
@jaegeral I just realized that you're using timesketch cli instead of timesketch-import-client (timesketch_importer). Is there any difference on the approaches? |
Hm indeed, it is importing them twice. |
fwiw, I am still working on this, it seems my e2e tests in #2976 does not trigger it. |
Still seeing this bug in the latest version of TS. Looking at the code this flush call isn't needed since the stream close method calls |
Describe the bug
timesketch_importer runs twice when executed on json_line files, resulting in double events.
To Reproduce
Steps to reproduce the behavior:
log2timeline.py --storage_file example.plaso /usr/bin
pinfo.py example.plaso
timesketch_importer --host http://127.0.0.1:81 -u examiner -p xxxxxx --sketch_id 19 example.plaso
psort.py -o json_line -w example.jsonl example.plaso
wc example.jsonl
timesketch_importer --host http://127.0.0.1:81 -u examiner -p xxxxx--sketch_id 19 example.jsonl
example-jsonl
14.1K events (2 imports: details)
example
7K events (imported with CLI importer tool)
Expected behavior
Expected it to not double import
Screenshots
![image](https://private-user-images.githubusercontent.com/17418298/246195497-40891587-c5af-4bdc-9fa1-905278f3a68d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk3NDM0NDYsIm5iZiI6MTcxOTc0MzE0NiwicGF0aCI6Ii8xNzQxODI5OC8yNDYxOTU0OTctNDA4OTE1ODctYzVhZi00YmRjLTlmYTEtOTA1Mjc4ZjNhNjhkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MzAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjMwVDEwMjU0NlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTBlOGQzYzNhNGFkNjJjZjJhMTUyMTMxOThjMTRlMDdkYTUxOWU1NGM0N2Q0MGQ5ZTEyMzQyZmYzMmU1NTMyMTcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.v-FuiuvZyHKJgg3Ud8CjboD07SjTfgT_4WwrpmC7FrY)
Desktop (please complete the following information):
latest docker install, as of 6/15/2023
The text was updated successfully, but these errors were encountered: