timesketch_importer - OSError: Format version: 20230327 is too new and not yet supported about timesketch HOT 9 CLOSED

I saw the docker exec call to log2timeline.py and wondered if it extended further.
sudo docker exec timesketch-web log2timeline.py --troubles
But not to worry, it was just wishful thinking.

I’ve been using the older docker tag to work around it, I’ll add it to our documentation in case anyone else runs into the same issue.

Thanks for your efforts, much appreciated.

from timesketch.

This is not a bug, Timesketch can only import Plaso files up to the version installed on Timesketch. If Plaso files are generated with. newer version, there can be dozen of things in the Plaso files that Timesketch does not know how to handle, which is why you see the error message.

So the solution is to update Plaso on the Timesketch, e.g. by updating Timesketch.

Hope that helps

from timesketch.

Hey @jaegeral, thanks for the response.

As far as I knew, I was using the most up to date version of Timesketch i.e. "TIMESKETCH_VERSION=latest".

Is there something obvious that I'm missing?

My docker-compose.yml file says:
version: "3.7"
services:
timesketch-web:
container_name: timesketch-web
image: us-docker.pkg.dev/osdfir-registry/timesketch/timesketch:${TIMESKETCH_VERSION}

And the config.env file says:
# Timesketch version to run. Latest is build from the master branch and a release
# number is build from a release tag. Using latest means that you are running
# the bleeding edge version and we cannot guarantee that it will not be broken.
TIMESKETCH_VERSION=latest

from timesketch.

Yeah this is something that comes up from time to time, see:
#2589
#2859

I added a few infos / data points in here: #2866 on how to get the versions.

from timesketch.

When I execute the following on the timesketch-web container:
sudo docker exec timesketch-web log2timeline.py --troubles
I get returned:
plaso - log2timeline version 20230311

And when I query, the version from the log2timeline/plaso container:
sudo docker run --rm -v /home/user/data:/data log2timeline/plaso psort --version
I get this returned:
plaso - psort version 20230717

from timesketch.

@jaegeral, please forgive my ignorance, but is there a way to call log2timeline/plaso from inside the Timesketch Docker container?

So that you know you’re using the same version as will be ingesting the plaso file later on?

from timesketch.

You mean docker in docker? I think that is not possible. But yeah your output in #2865 (comment) confirms, the file you uploaded was created with a to new Plaso version.

So one thing you can do is check which version you have installed in your Timesketch system and have Plaso only create the plaso file you will upload later with that very Plaso version. So you could process your evidence with:
docker pull log2timeline/plaso:20230311 (see: https://hub.docker.com/r/log2timeline/plaso/tags)

from timesketch.

And to be clear, I understand that it is a problem and that it needs some better integration / documentation to not run into those situations, but at the moment we do not have a short result for this :-/

from timesketch.

It’s all good, I’ll sure you’ll work out a better long term solution, it’s an awesome project, a few minor things like this will always crop up.

from timesketch.