AllthingsTimesketch icon indicating copy to clipboard operation
AllthingsTimesketch copied to clipboard

Published 20 hours ago verified publisher icon blueteam0ps

Timesketch Import Fail

Open gru3zi opened this issue 1 year ago • 4 comments

Hello and happy new year!

I seem to be having some issues with getting the import working for timesketch.

2024-01-04_09-13

Some background of my configuration

System: Proxmox OS: Ubuntu 20.04.06 Node-red: Setup via npm (bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered). I tried the standard npm install but there were quite a few errors.... I also tried the docker version but couldnt work out how to give the Node-Red account access to the cases folder. TimeSketch / Log2Timeline: Installed via the recommended tsplaso_docker_install.sh script For the script there was an error for open search so I had to remove the following items. image

These are the changes I made in Node Red

Triage Artefact Processor Flow

For the process variable should I leave it as localhost or put the IP that I use to access timesketch? Also the kape output actually has the logs in /C/Windows/System32/winevt/logs. I see from slack it says its successful so I didnt amend the path. image

For log2timeline I was not sure from the documentation what to change so I left it as is. image

image

Hayabusa Process Flow

For Hayabusa I tried the latest version which now uses a wizard prior to starting and thought that might interfere with it starting so I downgraded and used the 2.5.1 version

image

Slack Notifications Flow

Slack notification is configured and works fine.

Thank you for your time and help!

Warm regards,

Marc

gru3zi avatar Jan 04 '24 09:01 gru3zi

Try with rm ~/.timesketchrc ~/.timesketch.token

maxdal89 avatar Jan 09 '24 13:01 maxdal89

Still fails unfortunately...

gru3zi avatar Jan 09 '24 20:01 gru3zi

Does the manual upload via the WebUI also fail? If it doesnt it must be a problem with the API.... i think. Im quite new to this.

Update 1: It looks like as if the login by the timesketch_importer fails. The Code seems to expect data in JSON but is most likely getting HTML-Content with denied permission from timesketch-web. Are the credentials all in line?

Update2: I have encountered the same error when uploading my plaso-timeline. I was using the timesketch container(by digest): sha256:6ebfd0b9318a1a6b46e8b5b37745fef2bc8ee11fa5ae1f5977827de69d47bacc. After i upgraded my timesketch to the latest(sha256:a1c8faf408620eb21a37d9e810af792bbb31786df68e1aa099b6d34e71870d41), the upload was successfull!

pentestoles avatar Jan 30 '24 15:01 pentestoles

Sorry for the delay. I am working an update of the workflow project. In the meantime please checkout if this gets resolved with the latest version of Timesketch and timesketch importer.

blueteam0ps avatar Feb 03 '24 04:02 blueteam0ps