Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

text/apache_access warns about "Found a line preceeding match" #4893

Open
AlexForensic opened this issue Jul 12, 2024 · 8 comments
Open

text/apache_access warns about "Found a line preceeding match" #4893

AlexForensic opened this issue Jul 12, 2024 · 8 comments
Assignees
@joachimmetz
Labels
pending reporter input Issue is pending input from the reporter

Comments

@AlexForensic
Copy link

Describe the problem:

The file is 10To big.
When i parse with any version of plaso, i have this error :
"2024-07-12 17:40:01,367 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,407 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,458 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,481 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,546 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,712 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,144 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,288 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,352 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,561 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,788 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,919 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,939 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.".

Why ? Can you explain me. please.
@joachimmetz
Copy link
Member

@AlexForensic this is not an "error" this is a warning that a particular file cannot be correctly parsed. Can you provide more details? (such as the ones requested in the github issue template)

@AlexForensic
Copy link
Author

@joachimmetz this fils is access.log file extracted from debian 11. My command uses the parser "text".

@joachimmetz
Copy link
Member

Unfortunately this is insufficient information for me do anything with this report.

@AlexForensic
Copy link
Author

@joachimmetz ok sorry. What information do you require?

@joachimmetz
Copy link
Member

Have a look at the issue template https://github.com/log2timeline/plaso/issues/new?assignees=&labels=&projects=&template=problem-report.md&title=

I also would need to have an example of the log lines that the warning applies to, so sharing a short section of the log that can reproduce the issue could be beneficial

@AlexForensic
Copy link
Author

@joachimmetz

192.168.10.1 - - [27/Sep/2022:11:26:31 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 660 "https:///code/FicheClient/Bienvenue.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:26:31 +0200] "GET /server-status?auto HTTP/1.1" 200 1396 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:26:32 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 5197 "/code/FicheClient/Bienvenue.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:26:32 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:33 +0200] "GET /server-status?auto HTTP/1.1" 200 1389 "-" "-"
::1 - - [27/Sep/2022:11:26:34 +0200] "GET /server-status?auto HTTP/1.1" 200 1397 "-" "-"
::1 - - [27/Sep/2022:11:26:35 +0200] "GET /server-status?auto HTTP/1.1" 200 1394 "-" "-"
::1 - - [27/Sep/2022:11:26:36 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:37 +0200] "GET /server-status?auto HTTP/1.1" 200 1395 "-" "-"
::1 - - [27/Sep/2022:11:26:38 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:39 +0200] "GET /server-status?auto HTTP/1.1" 200 1394 "-" "-"
::1 - - [27/Sep/2022:11:26:40 +0200] "GET /server-status?auto HTTP/1.1" 200 1397 "-" "-"
::1 - - [27/Sep/2022:11:26:41 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:42 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:43 +0200] "GET /server-status?auto HTTP/1.1" 200 1396 "-" "-"
::1 - - [27/Sep/2022:11:26:44 +0200] "GET /server-status?auto HTTP/1.1" 200 1404 "-" "-"
::1 - - [27/Sep/2022:11:26:45 +0200] "GET /server-status?auto HTTP/1.1" 200 1405 "-" "-"
::1 - - [27/Sep/2022:11:26:46 +0200] "GET /server-status?auto HTTP/1.1" 200 1405 "-" "-"
::1 - - [27/Sep/2022:11:26:47 +0200] "GET /server-status?auto HTTP/1.1" 200 1402 "-" "-"
::1 - - [27/Sep/2022:11:26:48 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:49 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:50 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:51 +0200] "GET /server-status?auto HTTP/1.1" 200 1403 "-" "-"
::1 - - [27/Sep/2022:11:26:52 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:53 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:54 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:55 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:26:56 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 813 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:26:56 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:57 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:58 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:59 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:00 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:01 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:27:01 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 813 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:27:02 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:03 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:27:04 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:05 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:06 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:07 +0200] "GET /server-status?auto HTTP/1.1" 200 1404 "-" "-"
::1 - - [27/Sep/2022:11:27:08 +0200] "GET /server-status?auto HTTP/1.1" 200 1402 "-" "-"
::1 - - [27/Sep/2022:11:27:09 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
31.36.119.140 - - [27/Sep/2022:11:27:10 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 813 "https://code/FicheClient/Bienvenue.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:27:10 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:11 +0200] "GET /server-status?auto HTTP/1.1" 200 1408 "-" "-"
::1 - - [27/Sep/2022:11:27:12 +0200] "GET /server-status?auto HTTP/1.1" 200 1408 "-" "-"
::1 - - [27/Sep/2022:11:27:13 +0200] "GET /server-status?auto HTTP/1.1" 200 1402 "-" "-"
::1 - - [27/Sep/2022:11:27:14 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:15 +0200] "GET /server-status?auto HTTP/1.1" 200 1404 "-" "-"
::1 - - [27/Sep/2022:11:27:16 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:17 +0200] "GET /server-status?auto HTTP/1.1" 200 1405 "-" "-"
::1 - - [27/Sep/2022:11:27:18 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:27:19 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:20 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:21 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:22 +0200] "GET /server-status?auto HTTP/1.1" 200 1371 "-" "-"
::1 - - [27/Sep/2022:11:27:23 +0200] "GET /server-status?auto HTTP/1.1" 200 1403 "-" "-"
::1 - - [27/Sep/2022:11:27:24 +0200] "GET /server-status?auto HTTP/1.1" 200 1409 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/hal42/index.html?module=demande_production HTTP/1.1" 200 7513 "https:/code/FicheClient/Bienvenue.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
::1 - - [27/Sep/2022:11:27:25 +0200] "GET /server-status?auto HTTP/1.1" 200 1408 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/S?id=11 HTTP/1.1" 200 723 "https://no-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/ProdGraph_TypeProduction HTTP/1.1" 200 622 "https://.no-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/enums/?url=enums&list=ProdGraphique HTTP/1.1" 200 39383 "https://.no-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/ProdGraph_Magasin HTTP/1.1" 200 7844 "https://-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"

                                                                                                                                                                                                                                                                                                       70,88          0%

@joachimmetz joachimmetz self-assigned this Jul 13, 2024
@joachimmetz joachimmetz added the parsers Issues related to parsers and parser plug-ins label Jul 13, 2024
@joachimmetz joachimmetz changed the title Impossible to parse access lo Improve access.log parser - warns about "Found a line preceeding match" Jul 13, 2024
@joachimmetz
Copy link
Member

Thanks I'll take a closer look when time permits

@joachimmetz joachimmetz reopened this Jul 13, 2024
@joachimmetz
Copy link
Member

@AlexForensic what version of Plaso are you running?

log2timeline.py --parsers=text/apache_access access.log on my test machine with HEAD does not generate any of the extraction warnings you mention. Are you sure these section of the log generates the warnings for you?

@joachimmetz joachimmetz added pending reporter input Issue is pending input from the reporter and removed parsers Issues related to parsers and parser plug-ins labels Jul 15, 2024
@joachimmetz joachimmetz changed the title Improve access.log parser - warns about "Found a line preceeding match" text/apache_access warns about "Found a line preceeding match" Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
pending reporter input Issue is pending input from the reporter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joachimmetz @AlexForensic