Draft: implemented text parser plugin for Apple ps.txt files. #4861
Conversation
| self.CheckEventData(event_data, expected_event_values) | ||
|
|
||
| expected_event_values = { | ||
| 'command': '/System/Library/PrivateFrameworks/' |
There was a problem hiding this comment.
style nit: use (...) to split the string cross lines
| ' TIME COMMAND') + pyparsing.LineEnd()) | ||
|
|
||
| _COMMAND = pyparsing.OneOrMore( | ||
| pyparsing.Word(pyparsing.printables), |
There was a problem hiding this comment.
style nit: 4 space continuation indentation
| ParseError: if the structure cannot be parsed. | ||
| """ | ||
| # Retrieve the data from the file's metadata | ||
| self._SetEstimatedDate(parser_mediator) |
There was a problem hiding this comment.
Move this into CheckRequiredFormat e.g. https://github.com/log2timeline/plaso/blob/main/plaso/parsers/text_plugins/syslog.py#L761 so this check only happens once
| hours = 0 | ||
|
|
||
| # Retrieve year, month, day from dateless helper | ||
| year = self._date[0] |
There was a problem hiding this comment.
Based on the format I assume date here should be the most recent date. However the date-less log helper will do the opposite it will return the earliest date as its base. The idea of the date-less log helper is to store successive dates relative so that one could change it after extraction if needed.
There was a problem hiding this comment.
I disagree on that point. Since the file is created once by the ps command and should not be modified, the earliest timestamp should be the correct one. If the file is moved or accessed, then the most recent date would not be correct. For instance, the test file on my system as an earliest date of April 13, 2022 (modified) whereas the latest date is April 12, 2024 (accessed today).
|
|
||
| except (TypeError, ValueError) as exception: | ||
| raise errors.ParseError( | ||
| f'Unable to parse time elements with error: {exception}') |
There was a problem hiding this comment.
style nit: to keep consistent with the rest of the code base please use {exception!s}
|
@rick-slin I will give this format some more thought, it does not fully match the use-case of the date-less log helper as with syslog where the log entries are (mostly) chronological. Some hints (not the same) to the format based on Linux Would be good to have an example of a process that has more than 999 minutes of cpu time |
|
I don't understand the significance of the entries not being chronological. I can see the usefulness of moving the handling of the three cases from the plugin to the helper. I can try to setup an experiment for a long lived process but I don't see how that field would impact the start time column as they appear to be independent. |
this would be more to see if there is an edge case for the format of the TIME value
This is related to the inner workings of the date-less log helper |
…dled a compressed text file, fixed the plugin name in the presets.
Description:
DRAFT: Implemented a text parser plugin for Apple ps.txt files found in sysdiagnose dumps. It uses the DatelessLogHelper
Related issue (if applicable): fixes4697
Notes:
All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.
One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.
Checklist: