diff --git a/api/download.go b/api/download.go index f7df0f42b06..d811091ba17 100644 --- a/api/download.go +++ b/api/download.go @@ -26,7 +26,6 @@ package api import ( - "bytes" "fmt" "html" "io" @@ -225,7 +224,7 @@ func vfsFileDownloadHandler() http.Handler { w.Header().Set("Content-Disposition", "attachment; "+ sanitizeFilenameForAttachment(filename)) w.Header().Set("Content-Type", - detectMime(output, request.DetectMime)) + utils.GetMimeString(output, utils.AutoDetectMime(request.DetectMime))) w.Header().Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", request.Offset, next_offset, total_size)) w.WriteHeader(200) @@ -288,7 +287,8 @@ func vfsFileDownloadHandler() http.Handler { w.Header().Set("Content-Disposition", "attachment; "+ sanitizeFilenameForAttachment(filename)) w.Header().Set("Content-Type", - detectMime(buf[:n], request.DetectMime)) + utils.GetMimeString(buf[:n], + utils.AutoDetectMime(request.DetectMime))) w.WriteHeader(200) headers_sent = true } @@ -369,16 +369,6 @@ func filterData(reader_at io.ReaderAt, return output, offset, nil } -func detectMime(buffer []byte, detect_mime bool) string { - if detect_mime && len(buffer) > 8 { - if 0 == bytes.Compare( - []byte("\x89\x50\x4E\x47\x0D\x0A\x1A\x0A"), buffer[:8]) { - return "image/png" - } - } - return "binary/octet-stream" -} - func getRows( ctx context.Context, config_obj *config_proto.Config, @@ -507,14 +497,27 @@ func downloadFileStore(prefix []string) http.Handler { return } + buf := pool.Get().([]byte) + defer pool.Put(buf) + + // Read the first buffer for mime detection. + n, err := fd.Read(buf) + if err != nil { + returnError(w, 404, err.Error()) + return + } + // From here on we already sent the headers and we can // not really report an error to the client. w.Header().Set("Content-Disposition", "attachment; "+ sanitizePathspecForAttachment(path_spec)) - w.Header().Set("Content-Type", "binary/octet-stream") + w.Header().Set("Content-Type", + utils.GetMimeString(buf[:n], utils.AutoDetectMime(true))) w.WriteHeader(200) + w.Write(buf[:n]) + // Copy the rest directly. utils.Copy(r.Context(), w, fd) }) } diff --git a/api/notebooks.go b/api/notebooks.go index 9a4524b51bb..c0d3f763286 100644 --- a/api/notebooks.go +++ b/api/notebooks.go @@ -467,8 +467,6 @@ func (self *ApiServer) UploadNotebookAttachment( if err != nil { return nil, Status(self.verbose, err) } - - res.MimeType = detectMime([]byte(in.Data), true) return res, nil } diff --git a/artifacts/definitions/Linux/Events/Journal.yaml b/artifacts/definitions/Linux/Events/Journal.yaml new file mode 100644 index 00000000000..19bcdafdc01 --- /dev/null +++ b/artifacts/definitions/Linux/Events/Journal.yaml @@ -0,0 +1,21 @@ +name: Linux.Events.Journal +description: | + Watches the binary journal logs. Systemd uses a binary log format to + store logs. + +type: CLIENT_EVENT + +parameters: +- name: JournalGlob + type: glob + description: A Glob expression for finding journal files. + default: /{run,var}/log/journal/*/*.journal + +sources: +- query: | + SELECT * FROM foreach(row={ + SELECT OSPath FROM glob(globs=JournalGlob) + }, query={ + SELECT * + FROM watch_journald(filename=OSPath) + }, workers=100) diff --git a/artifacts/definitions/Linux/Forensics/Journal.yaml b/artifacts/definitions/Linux/Forensics/Journal.yaml index 1f76805e038..44a175cc641 100644 --- a/artifacts/definitions/Linux/Forensics/Journal.yaml +++ b/artifacts/definitions/Linux/Forensics/Journal.yaml @@ -1,14 +1,7 @@ name: Linux.Forensics.Journal description: | Parses the binary journal logs. Systemd uses a binary log format to - store logs. You can read these logs using journalctl command: - - `journalctl --file /run/log/journal/*/*.journal` - - This artifact uses the Velociraptor Binary parser to parse the - binary format. The format is documented - https://systemd.io/JOURNAL_FILE_FORMAT/ - + store logs. parameters: - name: JournalGlob @@ -16,168 +9,23 @@ parameters: description: A Glob expression for finding journal files. default: /{run,var}/log/journal/*/*.journal -- name: OnlyShowMessage - type: bool - description: If set we only show the message entry (similar to syslog). - - name: AlsoUpload type: bool description: If set we also upload the raw files. -export: | - LET JournalProfile = '''[ - ["Header", "x=>x.header_size", [ - ["Signature", 0, "String", { - "length": 8, - }], - ["compatible_flags", 8, uint32], - ["incompatible_flags", 12, Flags, { - type: uint32, - bitmap: { - COMPRESSED_XZ: 0, - COMPRESSED_LZ4: 1, - KEYED_HASH: 2, - COMPRESSED_ZSTD: 3, - COMPACT: 4, - } - }], - ["IsCompact", 12, BitField, { - type: uint32, - start_bit: 4, - end_bit: 5, - }], - ["header_size", 88, "uint64"], - ["arena_size", 96, "uint64"], - ["n_objects", 144, uint64], - ["n_entries", 152, uint64], - ["Objects", "x=>x.header_size", "Array", { - "type": "ObjectHeader", - "count": "x=>x.n_objects", - "max_count": 100000 - }] - ]], - - ["ObjectHeader", "x=>x.size", [ - ["Offset", 0, "Value", { - "value": "x=>x.StartOf", - }], - ["type", 0, "Enumeration",{ - "type": "uint8", - "choices": { - "0": OBJECT_UNUSED, - "1": OBJECT_DATA, - "2": OBJECT_FIELD, - "3": OBJECT_ENTRY, - "4": OBJECT_DATA_HASH_TABLE, - "5": OBJECT_FIELD_HASH_TABLE, - "6": OBJECT_ENTRY_ARRAY, - "7": OBJECT_TAG, - } - }], - ["flags", 1, "uint8"], - ["__real_size", 8, "uint64"], - ["__round_size", 8, "Value", { - "value": "x=>int(int=x.__real_size / 8) * 8", - }], - ["size", 0, "Value", { - "value": "x=>if(condition=x.__real_size = x.__round_size, then=x.__round_size, else=x.__round_size + 8)", - }], - ["payload", 16, Union, { - "selector": "x=>x.type", - "choices": { - "OBJECT_DATA": DataObject, - "OBJECT_ENTRY": EntryObject, - } - }] - ]], - ["DataObject", 0, [ - ["payload", "x=>DataOffset", String] - ]], - - # This is basically a single log line - - # it is really a list of references to data Objects - ["EntryObject", 0, [ - ["seqnum", 0, "uint64"], - ["realtime", 8, "uint64"], - ["monotonic", 16, "uint64"], - ["_items", 48, Array, { - "type": EntryItem, - "count": 50, - "sentinel": "x=>NOT x.object", - }], - ["_items_compact", 48, Array, { - "type": CompatEntryItem, - "count": 50, - "sentinel": "x=>NOT x.object", - }], - ["items", 0, Value, { - value: "x=>if(condition=IsCompact, then=x._items_compact, else=x._items)", - }] - ]], - - ["CompatEntryItem", 4, [ - ["object", 0, uint32] - ]], - ["EntryItem", 16, [ - ["object", 0, "uint64"], - ]], - ] - ''' - - -- We make a quick pass over the file to get all the OBJECT_ENTRY - -- objects which are all we care about. By extracting Just the - -- offsets of the OBJECT_ENTRY Objects in the first pass we can - -- free memory we wont need. - LET Offsets(File) = SELECT Offset - FROM foreach(row=parse_binary(filename=File, profile=JournalProfile, - struct="Header").Objects) - WHERE type = "OBJECT_ENTRY" - - - -- Now parse the ObjectEntry in each offset - LET _ParseFile(File) = - SELECT Offset, - parse_binary( - filename=File, profile=JournalProfile, - struct="ObjectHeader", offset=Offset) AS Parsed - FROM Offsets(File=File) - - - -- Extract the timestamps and all the attributes - LET ParseFile(File) = SELECT * FROM foreach(row={ - -- If the file is compact the payload is shifted by 8 bytes. - SELECT parse_binary( - filename=File, - profile=JournalProfile, - struct="Header").IsCompact * 8 + 48 AS DataOffset, - parse_binary( - filename=File, - profile=JournalProfile, - struct="Header").IsCompact AS IsCompact - FROM scope() - - }, query={ - SELECT File, Offset, - timestamp(epoch=Parsed.payload.realtime) AS Timestamp, - { - SELECT parse_binary( - filename=File, - profile=JournalProfile, - struct="ObjectHeader", - offset=_value).payload.payload AS Line - FROM foreach(row=Parsed.payload.items.object) - WHERE Line - } AS Data - FROM _ParseFile(File=File) +sources: +- name: Uploads + query: | + SELECT * FROM if(condition=AlsoUpload, + then={ + SELECT OSPath, upload(file=OSPath) AS Upload + FROM glob(globs=JournalGlob) }) -sources: - query: | SELECT * FROM foreach(row={ SELECT OSPath FROM glob(globs=JournalGlob) }, query={ - SELECT *, if(condition=OnlyShowMessage, - then=filter(list=Data, regex="^MESSAGE=")[0], else=Data) AS Data, - if(condition=AlsoUpload, then=upload(file=File)) AS Upload - FROM ParseFile(File=OSPath) + SELECT * + FROM parse_journald(filename=OSPath) }) diff --git a/artifacts/testdata/server/testcases/linux_systemd.in.yaml b/artifacts/testdata/server/testcases/linux_systemd.in.yaml index 10b5246167e..840a7991694 100644 --- a/artifacts/testdata/server/testcases/linux_systemd.in.yaml +++ b/artifacts/testdata/server/testcases/linux_systemd.in.yaml @@ -21,16 +21,12 @@ Queries: - LET _ <= remap(config=format(format=RemappingTemplate, args=srcDir), copy=["zip", "file"], clear=TRUE) -- SELECT Offset, Timestamp, Data +- SELECT * FROM Artifact.Linux.Forensics.Journal( JournalGlob='/system.journal') -- SELECT Offset, Timestamp, Data - FROM Artifact.Linux.Forensics.Journal(OnlyShowMessage=TRUE, - JournalGlob='/system.journal') - # Check that we also support compact style files -- SELECT Offset, Timestamp, Data +- SELECT * FROM Artifact.Linux.Forensics.Journal( JournalGlob='/compact.journal') LIMIT 10 diff --git a/artifacts/testdata/server/testcases/linux_systemd.out.yaml b/artifacts/testdata/server/testcases/linux_systemd.out.yaml index 05a43f5fd69..5d0d30484b8 100644 --- a/artifacts/testdata/server/testcases/linux_systemd.out.yaml +++ b/artifacts/testdata/server/testcases/linux_systemd.out.yaml @@ -1,457 +1,484 @@ -LET _ <= remap(config=format(format=RemappingTemplate, args=srcDir), copy=["zip", "file"], clear=TRUE)[]SELECT Offset, Timestamp, Data FROM Artifact.Linux.Forensics.Journal( JournalGlob='/system.journal')[ +LET _ <= remap(config=format(format=RemappingTemplate, args=srcDir), copy=["zip", "file"], clear=TRUE)[]SELECT * FROM Artifact.Linux.Forensics.Journal( JournalGlob='/system.journal')[ { - "Offset": 151352, - "Timestamp": "2023-05-09T01:31:12.435195Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=1", - "CODE_FILE=src/core/unit.c", - "CODE_LINE=2474", - "CODE_FUNC=unit_log_resources", - "SYSLOG_IDENTIFIER=systemd", - "CPU_USAGE_NSEC=5643944000", - "MESSAGE=session-717.scope: Consumed 5.643s CPU time.", - "MESSAGE_ID=ae8f7b866b0347b9af31fe1c80b127c0", - "UNIT=session-717.scope", - "INVOCATION_ID=b1659c39e4e94e9ca8fdb5ba9f9f6cb3", - "_TRANSPORT=journal", - "_PID=1", - "_UID=0", - "_GID=0", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/sbin/init", - "_CAP_EFFECTIVE=1ffffffffff", - "_SELINUX_CONTEXT=unconfined\n", - "_SYSTEMD_CGROUP=/init.scope", - "_SYSTEMD_UNIT=init.scope\u0002", - "_SYSTEMD_SLICE=-.slice", - "_SOURCE_REALTIME_TIMESTAMP=1683595864438049", - "_BOOT_ID=25557887eed141e0ad99932789c02184", - "_MACHINE_ID=4e7cbddbe9494fb9876af4e3e85c9eb4", - "_HOSTNAME=devbox\u0002" - ] - } -]SELECT Offset, Timestamp, Data FROM Artifact.Linux.Forensics.Journal(OnlyShowMessage=TRUE, JournalGlob='/system.journal')[ - { - "Offset": 151352, - "Timestamp": "2023-05-09T01:31:12.435195Z", - "Data": "MESSAGE=session-717.scope: Consumed 5.643s CPU time." + "System": { + "Seq": 19161, + "Timestamp": "2023-05-09T01:31:12.435195Z", + "_TRANSPORT": "journal", + "_PID": 1, + "_UID": 0, + "_GID": 0, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/sbin/init", + "_CAP_EFFECTIVE": "1ffffffffff", + "_SELINUX_CONTEXT": "unconfined\n", + "_SYSTEMD_CGROUP": "/init.scope", + "_SYSTEMD_UNIT": "init.scope", + "_SYSTEMD_SLICE": "-.slice", + "SOURCE_REALTIME_TIMESTAMP": "2023-05-09T01:31:04.438049Z", + "_BOOT_ID": "25557887eed141e0ad99932789c02184", + "_MACHINE_ID": "4e7cbddbe9494fb9876af4e3e85c9eb4", + "_HOSTNAME": "devbox" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 1, + "CODE_FILE": "src/core/unit.c", + "CODE_LINE": 2474, + "CODE_FUNC": "unit_log_resources", + "SYSLOG_IDENTIFIER": "systemd", + "CPU_USAGE_NSEC": "5643944000", + "MESSAGE": "session-717.scope: Consumed 5.643s CPU time.", + "MESSAGE_ID": "ae8f7b866b0347b9af31fe1c80b127c0", + "UNIT": "session-717.scope", + "INVOCATION_ID": "b1659c39e4e94e9ca8fdb5ba9f9f6cb3" + }, + "_Source": "Linux.Forensics.Journal" } -]SELECT Offset, Timestamp, Data FROM Artifact.Linux.Forensics.Journal( JournalGlob='/compact.journal') LIMIT 10[ +]SELECT * FROM Artifact.Linux.Forensics.Journal( JournalGlob='/compact.journal') LIMIT 10[ { - "Offset": 3738584, - "Timestamp": "2024-07-19T07:52:28.539547Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "CODE_FILE=src/core/main.c", - "CODE_LINE=2382", - "CODE_FUNC=do_queue_default_job", - "SYSLOG_IDENTIFIER=systemd", - "MESSAGE=Queued start job for default target default.target.", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_SOURCE_REALTIME_TIMESTAMP=1721375548539281", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system" - ] + "System": { + "Seq": 4837, + "Timestamp": "2024-07-19T07:52:28.539547Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.539281Z", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "CODE_FILE": "src/core/main.c", + "CODE_LINE": 2382, + "CODE_FUNC": "do_queue_default_job", + "SYSLOG_IDENTIFIER": "systemd", + "MESSAGE": "Queued start job for default target default.target." + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3740288, - "Timestamp": "2024-07-19T07:52:28.556361Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "MESSAGE=Created slice app.slice - User Application Slice.", - "JOB_ID=11", - "JOB_TYPE=start", - "JOB_RESULT=done", - "USER_INVOCATION_ID=cd69d947db534ca480f9052257dccc86", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "USER_UNIT=app.slice", - "_SOURCE_REALTIME_TIMESTAMP=1721375548556287" - ] + "System": { + "Seq": 4838, + "Timestamp": "2024-07-19T07:52:28.556361Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.556287Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "MESSAGE": "Created slice app.slice - User Application Slice.", + "JOB_ID": "11", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "USER_INVOCATION_ID": "cd69d947db534ca480f9052257dccc86", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "USER_UNIT": "app.slice" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3742064, - "Timestamp": "2024-07-19T07:52:28.557602Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "JOB_TYPE=start", - "JOB_RESULT=done", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "MESSAGE=Created slice session.slice - User Core Session Slice.", - "JOB_ID=29", - "USER_INVOCATION_ID=0135a5e6665047be9c067b2c0aecbb19", - "USER_UNIT=session.slice", - "_SOURCE_REALTIME_TIMESTAMP=1721375548557543" - ] + "System": { + "Seq": 4839, + "Timestamp": "2024-07-19T07:52:28.557602Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.557543Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "MESSAGE": "Created slice session.slice - User Core Session Slice.", + "JOB_ID": "29", + "USER_INVOCATION_ID": "0135a5e6665047be9c067b2c0aecbb19", + "USER_UNIT": "session.slice" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3743104, - "Timestamp": "2024-07-19T07:52:28.557814Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "JOB_TYPE=start", - "JOB_RESULT=done", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "MESSAGE=Started ubuntu-report.path - Pending report trigger for Ubuntu Report.", - "JOB_ID=34", - "USER_INVOCATION_ID=79fb13c9db64446c91f4997535aacc1d", - "USER_UNIT=ubuntu-report.path", - "_SOURCE_REALTIME_TIMESTAMP=1721375548557773" - ] + "System": { + "Seq": 4840, + "Timestamp": "2024-07-19T07:52:28.557814Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.557773Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "MESSAGE": "Started ubuntu-report.path - Pending report trigger for Ubuntu Report.", + "JOB_ID": "34", + "USER_INVOCATION_ID": "79fb13c9db64446c91f4997535aacc1d", + "USER_UNIT": "ubuntu-report.path" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3743920, - "Timestamp": "2024-07-19T07:52:28.557908Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "JOB_TYPE=start", - "JOB_RESULT=done", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "MESSAGE=Started launchpadlib-cache-clean.timer - Clean up old files in the Launchpadlib cache.", - "JOB_ID=6\u0001", - "USER_INVOCATION_ID=496609a7297345c7a179956ac00fbc5d", - "USER_UNIT=launchpadlib-cache-clean.timer\u0001", - "_SOURCE_REALTIME_TIMESTAMP=1721375548557834" - ] + "System": { + "Seq": 4841, + "Timestamp": "2024-07-19T07:52:28.557908Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.557834Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "MESSAGE": "Started launchpadlib-cache-clean.timer - Clean up old files in the Launchpadlib cache.", + "JOB_ID": "6", + "USER_INVOCATION_ID": "496609a7297345c7a179956ac00fbc5d", + "USER_UNIT": "launchpadlib-cache-clean.timer" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3744856, - "Timestamp": "2024-07-19T07:52:28.558591Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "JOB_TYPE=start", - "JOB_RESULT=done", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "MESSAGE=Started snap.firmware-updater.firmware-notifier.timer - Timer firmware-notifier for snap application firmware-updater.firmware-notifier.\u0001", - "JOB_ID=8\u0001", - "USER_INVOCATION_ID=a88af3c77d11478bbf5231ea637643b9", - "USER_UNIT=snap.firmware-updater.firmware-notifier.timer", - "_SOURCE_REALTIME_TIMESTAMP=1721375548558541" - ] + "System": { + "Seq": 4842, + "Timestamp": "2024-07-19T07:52:28.558591Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.558541Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "MESSAGE": "Started snap.firmware-updater.firmware-notifier.timer - Timer firmware-notifier for snap application firmware-updater.firmware-notifier.", + "JOB_ID": "8", + "USER_INVOCATION_ID": "a88af3c77d11478bbf5231ea637643b9", + "USER_UNIT": "snap.firmware-updater.firmware-notifier.timer" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3747016, - "Timestamp": "2024-07-19T07:52:28.558698Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "JOB_TYPE=start", - "JOB_RESULT=done", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "MESSAGE=Reached target paths.target - Paths.", - "JOB_ID=27", - "USER_INVOCATION_ID=ae3b6539808e4a299cd1ab1c371fe50e", - "USER_UNIT=paths.target", - "_SOURCE_REALTIME_TIMESTAMP=1721375548558601" - ] + "System": { + "Seq": 4843, + "Timestamp": "2024-07-19T07:52:28.558698Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.558601Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "MESSAGE": "Reached target paths.target - Paths.", + "JOB_ID": "27", + "USER_INVOCATION_ID": "ae3b6539808e4a299cd1ab1c371fe50e", + "USER_UNIT": "paths.target" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3748104, - "Timestamp": "2024-07-19T07:52:28.558771Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "JOB_TYPE=start", - "JOB_RESULT=done", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "MESSAGE=Reached target timers.target - Timers.", - "JOB_ID=5\u0001", - "USER_INVOCATION_ID=c19184ccbc5341b498bd3ca2bf0fef70", - "USER_UNIT=timers.target", - "_SOURCE_REALTIME_TIMESTAMP=1721375548558646" - ] + "System": { + "Seq": 4844, + "Timestamp": "2024-07-19T07:52:28.558771Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.558646Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "MESSAGE": "Reached target timers.target - Timers.", + "JOB_ID": "5", + "USER_INVOCATION_ID": "c19184ccbc5341b498bd3ca2bf0fef70", + "USER_UNIT": "timers.target" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3749192, - "Timestamp": "2024-07-19T07:52:28.561465Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "JOB_TYPE=start", - "CODE_LINE=609", - "CODE_FUNC=job_emit_start_message\u0001", - "MESSAGE=Starting dbus.socket - D-Bus User Message Bus Socket...", - "JOB_ID=16", - "USER_INVOCATION_ID=cb5e8a3617cc4715b746ac0989b1c9bb", - "MESSAGE_ID=7d4958e842da4a758f6c1cdc7b36dcc5", - "USER_UNIT=dbus.socket", - "_SOURCE_REALTIME_TIMESTAMP=1721375548561391" - ] + "System": { + "Seq": 4845, + "Timestamp": "2024-07-19T07:52:28.561465Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.561391Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "JOB_TYPE": "start", + "CODE_LINE": 609, + "CODE_FUNC": "job_emit_start_message", + "MESSAGE": "Starting dbus.socket - D-Bus User Message Bus Socket...", + "JOB_ID": "16", + "USER_INVOCATION_ID": "cb5e8a3617cc4715b746ac0989b1c9bb", + "MESSAGE_ID": "7d4958e842da4a758f6c1cdc7b36dcc5", + "USER_UNIT": "dbus.socket" + }, + "_Source": "Linux.Forensics.Journal" }, { - "Offset": 3749992, - "Timestamp": "2024-07-19T07:52:28.561727Z", - "Data": [ - "PRIORITY=6", - "SYSLOG_FACILITY=3", - "TID=3137\u0002", - "SYSLOG_IDENTIFIER=systemd", - "_TRANSPORT=journal", - "_PID=3137", - "_UID=1000", - "_GID=1000", - "_COMM=systemd", - "_EXE=/usr/lib/systemd/systemd", - "_CMDLINE=/usr/lib/systemd/systemd --user\u0002", - "_CAP_EFFECTIVE=800000000\u0002", - "_SELINUX_CONTEXT=unconfined\n", - "_AUDIT_SESSION=3\u0002", - "_AUDIT_LOGINUID=1000", - "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002", - "_SYSTEMD_OWNER_UID=1000", - "_SYSTEMD_UNIT=user@1000.service", - "_SYSTEMD_USER_UNIT=init.scope", - "_SYSTEMD_SLICE=user-1000.slice", - "_SYSTEMD_USER_SLICE=-.slice", - "_BOOT_ID=23a9ab0f82de434496c353945dcf5919", - "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1", - "_HOSTNAME=devbox\u0002", - "_RUNTIME_SCOPE=system", - "CODE_FILE=src/core/job.c\u0001", - "CODE_LINE=796", - "CODE_FUNC=job_emit_done_message", - "JOB_TYPE=start", - "JOB_RESULT=done", - "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf", - "MESSAGE=Listening on dirmngr.socket - GnuPG network certificate management daemon.", - "JOB_ID=17", - "USER_INVOCATION_ID=267becdcaa904435a9c45537e3f82b0a", - "USER_UNIT=dirmngr.socket\u0001", - "_SOURCE_REALTIME_TIMESTAMP=1721375548561670" - ] + "System": { + "Seq": 4846, + "Timestamp": "2024-07-19T07:52:28.561727Z", + "_TRANSPORT": "journal", + "_PID": 3137, + "_UID": 1000, + "_GID": 1000, + "_COMM": "systemd", + "_EXE": "/usr/lib/systemd/systemd", + "_CMDLINE": "/usr/lib/systemd/systemd --user", + "_CAP_EFFECTIVE": "800000000", + "_SELINUX_CONTEXT": "unconfined\n", + "_AUDIT_SESSION": 3, + "_AUDIT_LOGINUID": 1000, + "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope", + "_SYSTEMD_OWNER_UID": "1000", + "_SYSTEMD_UNIT": "user@1000.service", + "_SYSTEMD_USER_UNIT": "init.scope", + "_SYSTEMD_SLICE": "user-1000.slice", + "_SYSTEMD_USER_SLICE": "-.slice", + "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919", + "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1", + "_HOSTNAME": "devbox", + "_RUNTIME_SCOPE": "system", + "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.56167Z" + }, + "EventData": { + "PRIORITY": 6, + "SYSLOG_FACILITY": 3, + "TID": 3137, + "SYSLOG_IDENTIFIER": "systemd", + "CODE_FILE": "src/core/job.c", + "CODE_LINE": 796, + "CODE_FUNC": "job_emit_done_message", + "JOB_TYPE": "start", + "JOB_RESULT": "done", + "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", + "MESSAGE": "Listening on dirmngr.socket - GnuPG network certificate management daemon.", + "JOB_ID": "17", + "USER_INVOCATION_ID": "267becdcaa904435a9c45537e3f82b0a", + "USER_UNIT": "dirmngr.socket" + }, + "_Source": "Linux.Forensics.Journal" } ]SELECT * FROM parse_journald(filename='/system.journal') LIMIT 2[ { diff --git a/gui/velociraptor/package-lock.json b/gui/velociraptor/package-lock.json index 3829ed640c0..3f625b192a6 100644 --- a/gui/velociraptor/package-lock.json +++ b/gui/velociraptor/package-lock.json @@ -11,14 +11,14 @@ "@babel/core": "^7.25.2", "@babel/plugin-syntax-flow": "^7.24.7", "@babel/plugin-transform-react-jsx": "^7.25.2", - "@babel/runtime": "^7.25.4", + "@babel/runtime": "^7.25.6", "@fortawesome/fontawesome-svg-core": "6.6.0", "@fortawesome/free-regular-svg-icons": "6.6.0", "@fortawesome/free-solid-svg-icons": "^6.6.0", "@fortawesome/react-fontawesome": "0.2.2", "@popperjs/core": "^2.11.8", - "axios": "^1.7.5", - "ace-builds": "^1.36.0", + "ace-builds": "^1.36.1", + "axios": ">=1.7.5", "axios-retry": "3.9.1", "bootstrap": "5.3.3", "classnames": "^2.5.1", @@ -80,7 +80,7 @@ "eslint-plugin-import": "^2.27.5", "eslint-plugin-jsx-a11y": "^6.7.1", "eslint-plugin-react": "^7.32.2", - "vite": "^4.5.3", + "vite": "^4.5.5", "vite-plugin-compression": "^0.5.1", "vite-plugin-eslint": "1.8.1" } @@ -2081,9 +2081,9 @@ "dev": true }, "node_modules/@babel/runtime": { - "version": "7.25.4", - "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.4.tgz", - "integrity": "sha512-DSgLeL/FNcpXuzav5wfYvHCGvynXkJbn3Zvc3823AEe9nPwW9IK4UoCSS5yGymmQzN0pCPvivtgS6/8U2kkm1w==", + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.6.tgz", + "integrity": "sha512-VBj9MYyDb9tuLq7yzqjgzt6Q+IBQLrGZfdjOekyEirZPHxXWoTSGUTMrpsfi58Up73d13NfYLv8HT9vmznjzhQ==", "license": "MIT", "dependencies": { "regenerator-runtime": "^0.14.0" @@ -3715,9 +3715,9 @@ "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==" }, "node_modules/ace-builds": { - "version": "1.36.0", - "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.0.tgz", - "integrity": "sha512-7to4F86V5N13EY4M9LWaGo2Wmr9iWe5CrYpc28F+/OyYCf7yd+xBV5x9v/GB73EBGGoYd89m6JjeIUjkL6Yw+w==", + "version": "1.36.1", + "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.1.tgz", + "integrity": "sha512-/Rngkz+KgR7GFF16zO3itstku3wezjp4PTqrev3QvGfEix+Ilzsgp6X/VFSaprH9Cqd36rwT8c6eXwMKVgc+Kg==", "license": "BSD-3-Clause" }, "node_modules/acorn": { @@ -9566,9 +9566,9 @@ } }, "node_modules/vite": { - "version": "4.5.3", - "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.3.tgz", - "integrity": "sha512-kQL23kMeX92v3ph7IauVkXkikdDRsYMGTVl5KY2E9OY4ONLvkHf04MDTbnfo6NKxZiDLWzVpP5oTa8hQD8U3dg==", + "version": "4.5.5", + "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.5.tgz", + "integrity": "sha512-ifW3Lb2sMdX+WU91s3R0FyQlAyLxOzCSCP37ujw0+r5POeHPwe6udWVIElKQq8gk3t7b8rkmvqC6IHBpCff4GQ==", "dev": true, "dependencies": { "esbuild": "^0.18.10", @@ -11250,9 +11250,9 @@ "dev": true }, "@babel/runtime": { - "version": "7.25.4", - "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.4.tgz", - "integrity": "sha512-DSgLeL/FNcpXuzav5wfYvHCGvynXkJbn3Zvc3823AEe9nPwW9IK4UoCSS5yGymmQzN0pCPvivtgS6/8U2kkm1w==", + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.6.tgz", + "integrity": "sha512-VBj9MYyDb9tuLq7yzqjgzt6Q+IBQLrGZfdjOekyEirZPHxXWoTSGUTMrpsfi58Up73d13NfYLv8HT9vmznjzhQ==", "requires": { "regenerator-runtime": "^0.14.0" } @@ -12420,9 +12420,9 @@ "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==" }, "ace-builds": { - "version": "1.36.0", - "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.0.tgz", - "integrity": "sha512-7to4F86V5N13EY4M9LWaGo2Wmr9iWe5CrYpc28F+/OyYCf7yd+xBV5x9v/GB73EBGGoYd89m6JjeIUjkL6Yw+w==" + "version": "1.36.1", + "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.1.tgz", + "integrity": "sha512-/Rngkz+KgR7GFF16zO3itstku3wezjp4PTqrev3QvGfEix+Ilzsgp6X/VFSaprH9Cqd36rwT8c6eXwMKVgc+Kg==" }, "acorn": { "version": "8.8.2", @@ -16728,9 +16728,9 @@ } }, "vite": { - "version": "4.5.3", - "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.3.tgz", - "integrity": "sha512-kQL23kMeX92v3ph7IauVkXkikdDRsYMGTVl5KY2E9OY4ONLvkHf04MDTbnfo6NKxZiDLWzVpP5oTa8hQD8U3dg==", + "version": "4.5.5", + "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.5.tgz", + "integrity": "sha512-ifW3Lb2sMdX+WU91s3R0FyQlAyLxOzCSCP37ujw0+r5POeHPwe6udWVIElKQq8gk3t7b8rkmvqC6IHBpCff4GQ==", "dev": true, "requires": { "esbuild": "^0.18.10", diff --git a/gui/velociraptor/package.json b/gui/velociraptor/package.json index 14ef2ba84a7..d0b14b5779a 100644 --- a/gui/velociraptor/package.json +++ b/gui/velociraptor/package.json @@ -7,14 +7,14 @@ "@babel/core": "^7.25.2", "@babel/plugin-syntax-flow": "^7.24.7", "@babel/plugin-transform-react-jsx": "^7.25.2", - "@babel/runtime": "^7.25.4", + "@babel/runtime": "^7.25.6", "@fortawesome/fontawesome-svg-core": "6.6.0", "@fortawesome/free-regular-svg-icons": "6.6.0", "@fortawesome/free-solid-svg-icons": "^6.6.0", "@fortawesome/react-fontawesome": "0.2.2", "@popperjs/core": "^2.11.8", "axios": ">=1.7.5", - "ace-builds": "1.36.0", + "ace-builds": "1.36.1", "axios-retry": "3.9.1", "bootstrap": "5.3.3", "classnames": "^2.5.1", @@ -106,7 +106,7 @@ "eslint-plugin-import": "^2.27.5", "eslint-plugin-jsx-a11y": "^6.7.1", "eslint-plugin-react": "^7.32.2", - "vite": "^4.5.3", + "vite": "^4.5.5", "vite-plugin-compression": "^0.5.1", "vite-plugin-eslint": "1.8.1" } diff --git a/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx b/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx index 9fb467214fb..f66be7a7c24 100644 --- a/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx +++ b/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx @@ -528,7 +528,8 @@ export default class NotebookCellRenderer extends React.Component { // it. let filename = encodeURI(blob.name); let url = encodeURI(response.data.url); - if (/image/.test(response.mime_type)) { + let mime_type = response.data && response.data.mime_type; + if (/image/.test(mime_type || "")) { this.state.ace.insert( "\n\""; } diff --git a/services/notebook/notebook.go b/services/notebook/notebook.go index c64e5eae21e..725e8020967 100644 --- a/services/notebook/notebook.go +++ b/services/notebook/notebook.go @@ -192,6 +192,8 @@ func (self *NotebookManager) UploadNotebookAttachment( Filename: filename, } + result.MimeType = utils.GetMimeString(decoded, utils.AutoDetectMime(true)) + return result, nil } diff --git a/utils/mime.go b/utils/mime.go new file mode 100644 index 00000000000..8fa6f760227 --- /dev/null +++ b/utils/mime.go @@ -0,0 +1,25 @@ +package utils + +import ( + "bytes" + "strings" +) + +type AutoDetectMime bool + +// Only handle the types we usually handle in the GUI +func GetMimeString(buffer []byte, detect_mime AutoDetectMime) string { + if detect_mime && len(buffer) > 8 { + if 0 == bytes.Compare( + []byte("\x89\x50\x4E\x47\x0D\x0A\x1A\x0A"), buffer[:8]) { + return "image/png" + } + + if len(buffer) > 20 && strings.HasPrefix( + strings.ToLower(string(buffer[:20])), `