DEV Community

Wincent Balin
Wincent Balin

Posted on • Originally published at ofdigitalwater.postach.io on

How to import large Plaso file into Timesketch in Docker

Sometimes Timesketch, being run in Docker, hiccups when importing a Plaso file too large, like in the issue #1060. You can still upload the file using this shell script:

#!/bin/sh
#
# Run this script with timesketch_import_plaso.sh plaso_file [timesketch_container]

if [ $# -eq 0]
then
    echo Run this script with $0 plaso_file [timesketch_container]
    exit 1
fi

DOCKER_PATH="/tmp/`basename $1`"
TIMELINE="`echo $1 | sed -e 's/\.[^.]*$//'`"
CONTAINER=docker_timesketch_1
if [ ! -z "$2"]
then
    CONTAINER=$2
fi

docker cp "$1" "$CONTAINER:/tmp"
docker exec -it "$CONTAINER" psort.py -o timesketch --name "$TIMELINE" "$DOCKER_PATH"
docker exec -it "$CONTAINER" rm "$DOCKER_PATH"

Enter fullscreen mode Exit fullscreen mode

Discussion (0)