Problems running log2timeline on a base install

[karlvanderschyff]

Hi there I have just done a base install of the SIFT appliance and when I run log2timeline from the command line I get the following error:

$ log2timeline.py Traceback (most recent call last): File "/usr/bin/log2timeline.py", line 11, in from plaso.cli import log2timeline_tool File "/usr/lib/python3/dist-packages/plaso/cli/log2timeline_tool.py", line 14, in from plaso.cli import extraction_tool File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 20, in from plaso import parsers # pylint: disable=unused-import File "/usr/lib/python3/dist-packages/plaso/parsers/init.py", line 63, in from plaso.parsers import text_plugins File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/init.py", line 4, in from plaso.parsers.text_plugins import android_logcat File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/android_logcat.py", line 78, in class AndroidLogcatTextPlugin( File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/android_logcat.py", line 87, in AndroidLogcatTextPlugin _INTEGER = pyparsing.Word(pyparsing.nums).set_parse_action( AttributeError: '_WordRegex' object has no attribute 'set_parse_action'. Did you mean: 'setParseAction'?

I tried to perform an update and upgrade to see if it helps and it stays the same. I have confirmed this on another install as well.

Any advice where I can start trying to solve this one?

[digitalsleuth]

Hi @karlvanderschyff , for the current issue you're experiencing you can run the following: sudo python3 -m pip install "pyparsing>=3.0.0"

Once done, it should work again. We have a PR issued which will fix this for existing installs, but clean installs in the future won't have this issue.

Cheers!

[karlvanderschyff]

Thank very much @digitalsleuth. Worked 100%.

[joachimmetz]

Duplicate of https://github.com/teamdfir/sift/issues/617

[bmmojo]

@digitalsleuth

Unfortunately, that fix doesn't work for me. I am currently using v0.14.30 (2024-05-06).

I've also tried upgrading pip like the output said but I get the same error when running psteal.py or log2timeline.py

$ sudo python3 -m pip install "pyparsing>=3.0.0"
[sudo] password for ######:
Requirement already satisfied: pyparsing>=3.0.0 in /usr/lib/python3/dist-packages (3.0.9)
WARNING: Keyring is skipped due to an exception: Failed to unlock the item!
WARNING: You are using pip version 21.0.1; however, version 24.0 is available.
You should consider upgrading via the '/usr/bin/python3 -m pip install --upgrade pip' command.

[digitalsleuth]

@bmmojo Were you running the base install using cast, or using the SIFT appliance?

[bmmojo]

@digitalsleuth cast install.

[digitalsleuth]

Hi @bmmojo , could you run the following and provide the output: sudo python3 -m pip list python3 -V (make note, that is a capital V, to determine the version)

[kennykim1]

@bmmojo I had a same error message as shown by you. For me, I've tried a command below, it works. $ python3 -m pip install "pyparsing>=3.0.0 Defaulting to user installation because normal site-packages is not writeable Collecting pyparsing>=3.0.0 Downloading pyparsing-3.1.2-py3-none-any.whl.metadata (5.1 kB) Downloading pyparsing-3.1.2-py3-none-any.whl (103 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 103.2/103.2 kB 1.5 MB/s eta 0:00:00 Installing collected packages: pyparsing Attempting uninstall: pyparsing Found existing installation: pyparsing 2.4.7 Uninstalling pyparsing-2.4.7: Successfully uninstalled pyparsing-2.4.7

Seems like my system has old version of pyparsing 2.4.7. after uninstalling, my log2timeline.py commands start to work. $ log2timeline.py -h usage: log2timeline.py

Hope it helps.

[bmmojo]

Sorry for the late reply!

@kennykim1 Your method worked.

@digitalsleuth sudo python3 -m pip list: piplistoutput.txt python3 -V: Python 3.10.12

[ekristen]

Is this still an issue?

[bmmojo]

@ekristen with kenny's fix it now works. So no.

[ekristen]

Good deal. We are working on the 24.04 update. We'll make sure to get this included there and backport to 22.04 if we can.