diff --git a/api/download.go b/api/download.go
index f7df0f42b06..d811091ba17 100644
--- a/api/download.go
+++ b/api/download.go
@@ -26,7 +26,6 @@
package api
import (
- "bytes"
"fmt"
"html"
"io"
@@ -225,7 +224,7 @@ func vfsFileDownloadHandler() http.Handler {
w.Header().Set("Content-Disposition", "attachment; "+
sanitizeFilenameForAttachment(filename))
w.Header().Set("Content-Type",
- detectMime(output, request.DetectMime))
+ utils.GetMimeString(output, utils.AutoDetectMime(request.DetectMime)))
w.Header().Set("Content-Range",
fmt.Sprintf("bytes %d-%d/%d", request.Offset, next_offset, total_size))
w.WriteHeader(200)
@@ -288,7 +287,8 @@ func vfsFileDownloadHandler() http.Handler {
w.Header().Set("Content-Disposition", "attachment; "+
sanitizeFilenameForAttachment(filename))
w.Header().Set("Content-Type",
- detectMime(buf[:n], request.DetectMime))
+ utils.GetMimeString(buf[:n],
+ utils.AutoDetectMime(request.DetectMime)))
w.WriteHeader(200)
headers_sent = true
}
@@ -369,16 +369,6 @@ func filterData(reader_at io.ReaderAt,
return output, offset, nil
}
-func detectMime(buffer []byte, detect_mime bool) string {
- if detect_mime && len(buffer) > 8 {
- if 0 == bytes.Compare(
- []byte("\x89\x50\x4E\x47\x0D\x0A\x1A\x0A"), buffer[:8]) {
- return "image/png"
- }
- }
- return "binary/octet-stream"
-}
-
func getRows(
ctx context.Context,
config_obj *config_proto.Config,
@@ -507,14 +497,27 @@ func downloadFileStore(prefix []string) http.Handler {
return
}
+ buf := pool.Get().([]byte)
+ defer pool.Put(buf)
+
+ // Read the first buffer for mime detection.
+ n, err := fd.Read(buf)
+ if err != nil {
+ returnError(w, 404, err.Error())
+ return
+ }
+
// From here on we already sent the headers and we can
// not really report an error to the client.
w.Header().Set("Content-Disposition", "attachment; "+
sanitizePathspecForAttachment(path_spec))
- w.Header().Set("Content-Type", "binary/octet-stream")
+ w.Header().Set("Content-Type",
+ utils.GetMimeString(buf[:n], utils.AutoDetectMime(true)))
w.WriteHeader(200)
+ w.Write(buf[:n])
+ // Copy the rest directly.
utils.Copy(r.Context(), w, fd)
})
}
diff --git a/api/notebooks.go b/api/notebooks.go
index 9a4524b51bb..c0d3f763286 100644
--- a/api/notebooks.go
+++ b/api/notebooks.go
@@ -467,8 +467,6 @@ func (self *ApiServer) UploadNotebookAttachment(
if err != nil {
return nil, Status(self.verbose, err)
}
-
- res.MimeType = detectMime([]byte(in.Data), true)
return res, nil
}
diff --git a/artifacts/definitions/Linux/Events/Journal.yaml b/artifacts/definitions/Linux/Events/Journal.yaml
new file mode 100644
index 00000000000..19bcdafdc01
--- /dev/null
+++ b/artifacts/definitions/Linux/Events/Journal.yaml
@@ -0,0 +1,21 @@
+name: Linux.Events.Journal
+description: |
+ Watches the binary journal logs. Systemd uses a binary log format to
+ store logs.
+
+type: CLIENT_EVENT
+
+parameters:
+- name: JournalGlob
+ type: glob
+ description: A Glob expression for finding journal files.
+ default: /{run,var}/log/journal/*/*.journal
+
+sources:
+- query: |
+ SELECT * FROM foreach(row={
+ SELECT OSPath FROM glob(globs=JournalGlob)
+ }, query={
+ SELECT *
+ FROM watch_journald(filename=OSPath)
+ }, workers=100)
diff --git a/artifacts/definitions/Linux/Forensics/Journal.yaml b/artifacts/definitions/Linux/Forensics/Journal.yaml
index 1f76805e038..44a175cc641 100644
--- a/artifacts/definitions/Linux/Forensics/Journal.yaml
+++ b/artifacts/definitions/Linux/Forensics/Journal.yaml
@@ -1,14 +1,7 @@
name: Linux.Forensics.Journal
description: |
Parses the binary journal logs. Systemd uses a binary log format to
- store logs. You can read these logs using journalctl command:
-
- `journalctl --file /run/log/journal/*/*.journal`
-
- This artifact uses the Velociraptor Binary parser to parse the
- binary format. The format is documented
- https://systemd.io/JOURNAL_FILE_FORMAT/
-
+ store logs.
parameters:
- name: JournalGlob
@@ -16,168 +9,23 @@ parameters:
description: A Glob expression for finding journal files.
default: /{run,var}/log/journal/*/*.journal
-- name: OnlyShowMessage
- type: bool
- description: If set we only show the message entry (similar to syslog).
-
- name: AlsoUpload
type: bool
description: If set we also upload the raw files.
-export: |
- LET JournalProfile = '''[
- ["Header", "x=>x.header_size", [
- ["Signature", 0, "String", {
- "length": 8,
- }],
- ["compatible_flags", 8, uint32],
- ["incompatible_flags", 12, Flags, {
- type: uint32,
- bitmap: {
- COMPRESSED_XZ: 0,
- COMPRESSED_LZ4: 1,
- KEYED_HASH: 2,
- COMPRESSED_ZSTD: 3,
- COMPACT: 4,
- }
- }],
- ["IsCompact", 12, BitField, {
- type: uint32,
- start_bit: 4,
- end_bit: 5,
- }],
- ["header_size", 88, "uint64"],
- ["arena_size", 96, "uint64"],
- ["n_objects", 144, uint64],
- ["n_entries", 152, uint64],
- ["Objects", "x=>x.header_size", "Array", {
- "type": "ObjectHeader",
- "count": "x=>x.n_objects",
- "max_count": 100000
- }]
- ]],
-
- ["ObjectHeader", "x=>x.size", [
- ["Offset", 0, "Value", {
- "value": "x=>x.StartOf",
- }],
- ["type", 0, "Enumeration",{
- "type": "uint8",
- "choices": {
- "0": OBJECT_UNUSED,
- "1": OBJECT_DATA,
- "2": OBJECT_FIELD,
- "3": OBJECT_ENTRY,
- "4": OBJECT_DATA_HASH_TABLE,
- "5": OBJECT_FIELD_HASH_TABLE,
- "6": OBJECT_ENTRY_ARRAY,
- "7": OBJECT_TAG,
- }
- }],
- ["flags", 1, "uint8"],
- ["__real_size", 8, "uint64"],
- ["__round_size", 8, "Value", {
- "value": "x=>int(int=x.__real_size / 8) * 8",
- }],
- ["size", 0, "Value", {
- "value": "x=>if(condition=x.__real_size = x.__round_size, then=x.__round_size, else=x.__round_size + 8)",
- }],
- ["payload", 16, Union, {
- "selector": "x=>x.type",
- "choices": {
- "OBJECT_DATA": DataObject,
- "OBJECT_ENTRY": EntryObject,
- }
- }]
- ]],
- ["DataObject", 0, [
- ["payload", "x=>DataOffset", String]
- ]],
-
- # This is basically a single log line -
- # it is really a list of references to data Objects
- ["EntryObject", 0, [
- ["seqnum", 0, "uint64"],
- ["realtime", 8, "uint64"],
- ["monotonic", 16, "uint64"],
- ["_items", 48, Array, {
- "type": EntryItem,
- "count": 50,
- "sentinel": "x=>NOT x.object",
- }],
- ["_items_compact", 48, Array, {
- "type": CompatEntryItem,
- "count": 50,
- "sentinel": "x=>NOT x.object",
- }],
- ["items", 0, Value, {
- value: "x=>if(condition=IsCompact, then=x._items_compact, else=x._items)",
- }]
- ]],
-
- ["CompatEntryItem", 4, [
- ["object", 0, uint32]
- ]],
- ["EntryItem", 16, [
- ["object", 0, "uint64"],
- ]],
- ]
- '''
-
- -- We make a quick pass over the file to get all the OBJECT_ENTRY
- -- objects which are all we care about. By extracting Just the
- -- offsets of the OBJECT_ENTRY Objects in the first pass we can
- -- free memory we wont need.
- LET Offsets(File) = SELECT Offset
- FROM foreach(row=parse_binary(filename=File, profile=JournalProfile,
- struct="Header").Objects)
- WHERE type = "OBJECT_ENTRY"
-
-
- -- Now parse the ObjectEntry in each offset
- LET _ParseFile(File) =
- SELECT Offset,
- parse_binary(
- filename=File, profile=JournalProfile,
- struct="ObjectHeader", offset=Offset) AS Parsed
- FROM Offsets(File=File)
-
-
- -- Extract the timestamps and all the attributes
- LET ParseFile(File) = SELECT * FROM foreach(row={
- -- If the file is compact the payload is shifted by 8 bytes.
- SELECT parse_binary(
- filename=File,
- profile=JournalProfile,
- struct="Header").IsCompact * 8 + 48 AS DataOffset,
- parse_binary(
- filename=File,
- profile=JournalProfile,
- struct="Header").IsCompact AS IsCompact
- FROM scope()
-
- }, query={
- SELECT File, Offset,
- timestamp(epoch=Parsed.payload.realtime) AS Timestamp,
- {
- SELECT parse_binary(
- filename=File,
- profile=JournalProfile,
- struct="ObjectHeader",
- offset=_value).payload.payload AS Line
- FROM foreach(row=Parsed.payload.items.object)
- WHERE Line
- } AS Data
- FROM _ParseFile(File=File)
+sources:
+- name: Uploads
+ query: |
+ SELECT * FROM if(condition=AlsoUpload,
+ then={
+ SELECT OSPath, upload(file=OSPath) AS Upload
+ FROM glob(globs=JournalGlob)
})
-sources:
- query: |
SELECT * FROM foreach(row={
SELECT OSPath FROM glob(globs=JournalGlob)
}, query={
- SELECT *, if(condition=OnlyShowMessage,
- then=filter(list=Data, regex="^MESSAGE=")[0], else=Data) AS Data,
- if(condition=AlsoUpload, then=upload(file=File)) AS Upload
- FROM ParseFile(File=OSPath)
+ SELECT *
+ FROM parse_journald(filename=OSPath)
})
diff --git a/artifacts/testdata/server/testcases/linux_systemd.in.yaml b/artifacts/testdata/server/testcases/linux_systemd.in.yaml
index 10b5246167e..840a7991694 100644
--- a/artifacts/testdata/server/testcases/linux_systemd.in.yaml
+++ b/artifacts/testdata/server/testcases/linux_systemd.in.yaml
@@ -21,16 +21,12 @@ Queries:
- LET _ <= remap(config=format(format=RemappingTemplate, args=srcDir),
copy=["zip", "file"], clear=TRUE)
-- SELECT Offset, Timestamp, Data
+- SELECT *
FROM Artifact.Linux.Forensics.Journal(
JournalGlob='/system.journal')
-- SELECT Offset, Timestamp, Data
- FROM Artifact.Linux.Forensics.Journal(OnlyShowMessage=TRUE,
- JournalGlob='/system.journal')
-
# Check that we also support compact style files
-- SELECT Offset, Timestamp, Data
+- SELECT *
FROM Artifact.Linux.Forensics.Journal(
JournalGlob='/compact.journal')
LIMIT 10
diff --git a/artifacts/testdata/server/testcases/linux_systemd.out.yaml b/artifacts/testdata/server/testcases/linux_systemd.out.yaml
index 05a43f5fd69..5d0d30484b8 100644
--- a/artifacts/testdata/server/testcases/linux_systemd.out.yaml
+++ b/artifacts/testdata/server/testcases/linux_systemd.out.yaml
@@ -1,457 +1,484 @@
-LET _ <= remap(config=format(format=RemappingTemplate, args=srcDir), copy=["zip", "file"], clear=TRUE)[]SELECT Offset, Timestamp, Data FROM Artifact.Linux.Forensics.Journal( JournalGlob='/system.journal')[
+LET _ <= remap(config=format(format=RemappingTemplate, args=srcDir), copy=["zip", "file"], clear=TRUE)[]SELECT * FROM Artifact.Linux.Forensics.Journal( JournalGlob='/system.journal')[
{
- "Offset": 151352,
- "Timestamp": "2023-05-09T01:31:12.435195Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=1",
- "CODE_FILE=src/core/unit.c",
- "CODE_LINE=2474",
- "CODE_FUNC=unit_log_resources",
- "SYSLOG_IDENTIFIER=systemd",
- "CPU_USAGE_NSEC=5643944000",
- "MESSAGE=session-717.scope: Consumed 5.643s CPU time.",
- "MESSAGE_ID=ae8f7b866b0347b9af31fe1c80b127c0",
- "UNIT=session-717.scope",
- "INVOCATION_ID=b1659c39e4e94e9ca8fdb5ba9f9f6cb3",
- "_TRANSPORT=journal",
- "_PID=1",
- "_UID=0",
- "_GID=0",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/sbin/init",
- "_CAP_EFFECTIVE=1ffffffffff",
- "_SELINUX_CONTEXT=unconfined\n",
- "_SYSTEMD_CGROUP=/init.scope",
- "_SYSTEMD_UNIT=init.scope\u0002",
- "_SYSTEMD_SLICE=-.slice",
- "_SOURCE_REALTIME_TIMESTAMP=1683595864438049",
- "_BOOT_ID=25557887eed141e0ad99932789c02184",
- "_MACHINE_ID=4e7cbddbe9494fb9876af4e3e85c9eb4",
- "_HOSTNAME=devbox\u0002"
- ]
- }
-]SELECT Offset, Timestamp, Data FROM Artifact.Linux.Forensics.Journal(OnlyShowMessage=TRUE, JournalGlob='/system.journal')[
- {
- "Offset": 151352,
- "Timestamp": "2023-05-09T01:31:12.435195Z",
- "Data": "MESSAGE=session-717.scope: Consumed 5.643s CPU time."
+ "System": {
+ "Seq": 19161,
+ "Timestamp": "2023-05-09T01:31:12.435195Z",
+ "_TRANSPORT": "journal",
+ "_PID": 1,
+ "_UID": 0,
+ "_GID": 0,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/sbin/init",
+ "_CAP_EFFECTIVE": "1ffffffffff",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_SYSTEMD_CGROUP": "/init.scope",
+ "_SYSTEMD_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "-.slice",
+ "SOURCE_REALTIME_TIMESTAMP": "2023-05-09T01:31:04.438049Z",
+ "_BOOT_ID": "25557887eed141e0ad99932789c02184",
+ "_MACHINE_ID": "4e7cbddbe9494fb9876af4e3e85c9eb4",
+ "_HOSTNAME": "devbox"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 1,
+ "CODE_FILE": "src/core/unit.c",
+ "CODE_LINE": 2474,
+ "CODE_FUNC": "unit_log_resources",
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CPU_USAGE_NSEC": "5643944000",
+ "MESSAGE": "session-717.scope: Consumed 5.643s CPU time.",
+ "MESSAGE_ID": "ae8f7b866b0347b9af31fe1c80b127c0",
+ "UNIT": "session-717.scope",
+ "INVOCATION_ID": "b1659c39e4e94e9ca8fdb5ba9f9f6cb3"
+ },
+ "_Source": "Linux.Forensics.Journal"
}
-]SELECT Offset, Timestamp, Data FROM Artifact.Linux.Forensics.Journal( JournalGlob='/compact.journal') LIMIT 10[
+]SELECT * FROM Artifact.Linux.Forensics.Journal( JournalGlob='/compact.journal') LIMIT 10[
{
- "Offset": 3738584,
- "Timestamp": "2024-07-19T07:52:28.539547Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "CODE_FILE=src/core/main.c",
- "CODE_LINE=2382",
- "CODE_FUNC=do_queue_default_job",
- "SYSLOG_IDENTIFIER=systemd",
- "MESSAGE=Queued start job for default target default.target.",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548539281",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system"
- ]
+ "System": {
+ "Seq": 4837,
+ "Timestamp": "2024-07-19T07:52:28.539547Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.539281Z",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "CODE_FILE": "src/core/main.c",
+ "CODE_LINE": 2382,
+ "CODE_FUNC": "do_queue_default_job",
+ "SYSLOG_IDENTIFIER": "systemd",
+ "MESSAGE": "Queued start job for default target default.target."
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3740288,
- "Timestamp": "2024-07-19T07:52:28.556361Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "MESSAGE=Created slice app.slice - User Application Slice.",
- "JOB_ID=11",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "USER_INVOCATION_ID=cd69d947db534ca480f9052257dccc86",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "USER_UNIT=app.slice",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548556287"
- ]
+ "System": {
+ "Seq": 4838,
+ "Timestamp": "2024-07-19T07:52:28.556361Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.556287Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "MESSAGE": "Created slice app.slice - User Application Slice.",
+ "JOB_ID": "11",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "USER_INVOCATION_ID": "cd69d947db534ca480f9052257dccc86",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "USER_UNIT": "app.slice"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3742064,
- "Timestamp": "2024-07-19T07:52:28.557602Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "MESSAGE=Created slice session.slice - User Core Session Slice.",
- "JOB_ID=29",
- "USER_INVOCATION_ID=0135a5e6665047be9c067b2c0aecbb19",
- "USER_UNIT=session.slice",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548557543"
- ]
+ "System": {
+ "Seq": 4839,
+ "Timestamp": "2024-07-19T07:52:28.557602Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.557543Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "MESSAGE": "Created slice session.slice - User Core Session Slice.",
+ "JOB_ID": "29",
+ "USER_INVOCATION_ID": "0135a5e6665047be9c067b2c0aecbb19",
+ "USER_UNIT": "session.slice"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3743104,
- "Timestamp": "2024-07-19T07:52:28.557814Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "MESSAGE=Started ubuntu-report.path - Pending report trigger for Ubuntu Report.",
- "JOB_ID=34",
- "USER_INVOCATION_ID=79fb13c9db64446c91f4997535aacc1d",
- "USER_UNIT=ubuntu-report.path",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548557773"
- ]
+ "System": {
+ "Seq": 4840,
+ "Timestamp": "2024-07-19T07:52:28.557814Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.557773Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "MESSAGE": "Started ubuntu-report.path - Pending report trigger for Ubuntu Report.",
+ "JOB_ID": "34",
+ "USER_INVOCATION_ID": "79fb13c9db64446c91f4997535aacc1d",
+ "USER_UNIT": "ubuntu-report.path"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3743920,
- "Timestamp": "2024-07-19T07:52:28.557908Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "MESSAGE=Started launchpadlib-cache-clean.timer - Clean up old files in the Launchpadlib cache.",
- "JOB_ID=6\u0001",
- "USER_INVOCATION_ID=496609a7297345c7a179956ac00fbc5d",
- "USER_UNIT=launchpadlib-cache-clean.timer\u0001",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548557834"
- ]
+ "System": {
+ "Seq": 4841,
+ "Timestamp": "2024-07-19T07:52:28.557908Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.557834Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "MESSAGE": "Started launchpadlib-cache-clean.timer - Clean up old files in the Launchpadlib cache.",
+ "JOB_ID": "6",
+ "USER_INVOCATION_ID": "496609a7297345c7a179956ac00fbc5d",
+ "USER_UNIT": "launchpadlib-cache-clean.timer"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3744856,
- "Timestamp": "2024-07-19T07:52:28.558591Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "MESSAGE=Started snap.firmware-updater.firmware-notifier.timer - Timer firmware-notifier for snap application firmware-updater.firmware-notifier.\u0001",
- "JOB_ID=8\u0001",
- "USER_INVOCATION_ID=a88af3c77d11478bbf5231ea637643b9",
- "USER_UNIT=snap.firmware-updater.firmware-notifier.timer",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548558541"
- ]
+ "System": {
+ "Seq": 4842,
+ "Timestamp": "2024-07-19T07:52:28.558591Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.558541Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "MESSAGE": "Started snap.firmware-updater.firmware-notifier.timer - Timer firmware-notifier for snap application firmware-updater.firmware-notifier.",
+ "JOB_ID": "8",
+ "USER_INVOCATION_ID": "a88af3c77d11478bbf5231ea637643b9",
+ "USER_UNIT": "snap.firmware-updater.firmware-notifier.timer"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3747016,
- "Timestamp": "2024-07-19T07:52:28.558698Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "MESSAGE=Reached target paths.target - Paths.",
- "JOB_ID=27",
- "USER_INVOCATION_ID=ae3b6539808e4a299cd1ab1c371fe50e",
- "USER_UNIT=paths.target",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548558601"
- ]
+ "System": {
+ "Seq": 4843,
+ "Timestamp": "2024-07-19T07:52:28.558698Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.558601Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "MESSAGE": "Reached target paths.target - Paths.",
+ "JOB_ID": "27",
+ "USER_INVOCATION_ID": "ae3b6539808e4a299cd1ab1c371fe50e",
+ "USER_UNIT": "paths.target"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3748104,
- "Timestamp": "2024-07-19T07:52:28.558771Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "MESSAGE=Reached target timers.target - Timers.",
- "JOB_ID=5\u0001",
- "USER_INVOCATION_ID=c19184ccbc5341b498bd3ca2bf0fef70",
- "USER_UNIT=timers.target",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548558646"
- ]
+ "System": {
+ "Seq": 4844,
+ "Timestamp": "2024-07-19T07:52:28.558771Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.558646Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "MESSAGE": "Reached target timers.target - Timers.",
+ "JOB_ID": "5",
+ "USER_INVOCATION_ID": "c19184ccbc5341b498bd3ca2bf0fef70",
+ "USER_UNIT": "timers.target"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3749192,
- "Timestamp": "2024-07-19T07:52:28.561465Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "JOB_TYPE=start",
- "CODE_LINE=609",
- "CODE_FUNC=job_emit_start_message\u0001",
- "MESSAGE=Starting dbus.socket - D-Bus User Message Bus Socket...",
- "JOB_ID=16",
- "USER_INVOCATION_ID=cb5e8a3617cc4715b746ac0989b1c9bb",
- "MESSAGE_ID=7d4958e842da4a758f6c1cdc7b36dcc5",
- "USER_UNIT=dbus.socket",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548561391"
- ]
+ "System": {
+ "Seq": 4845,
+ "Timestamp": "2024-07-19T07:52:28.561465Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.561391Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "JOB_TYPE": "start",
+ "CODE_LINE": 609,
+ "CODE_FUNC": "job_emit_start_message",
+ "MESSAGE": "Starting dbus.socket - D-Bus User Message Bus Socket...",
+ "JOB_ID": "16",
+ "USER_INVOCATION_ID": "cb5e8a3617cc4715b746ac0989b1c9bb",
+ "MESSAGE_ID": "7d4958e842da4a758f6c1cdc7b36dcc5",
+ "USER_UNIT": "dbus.socket"
+ },
+ "_Source": "Linux.Forensics.Journal"
},
{
- "Offset": 3749992,
- "Timestamp": "2024-07-19T07:52:28.561727Z",
- "Data": [
- "PRIORITY=6",
- "SYSLOG_FACILITY=3",
- "TID=3137\u0002",
- "SYSLOG_IDENTIFIER=systemd",
- "_TRANSPORT=journal",
- "_PID=3137",
- "_UID=1000",
- "_GID=1000",
- "_COMM=systemd",
- "_EXE=/usr/lib/systemd/systemd",
- "_CMDLINE=/usr/lib/systemd/systemd --user\u0002",
- "_CAP_EFFECTIVE=800000000\u0002",
- "_SELINUX_CONTEXT=unconfined\n",
- "_AUDIT_SESSION=3\u0002",
- "_AUDIT_LOGINUID=1000",
- "_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/init.scope\u0002",
- "_SYSTEMD_OWNER_UID=1000",
- "_SYSTEMD_UNIT=user@1000.service",
- "_SYSTEMD_USER_UNIT=init.scope",
- "_SYSTEMD_SLICE=user-1000.slice",
- "_SYSTEMD_USER_SLICE=-.slice",
- "_BOOT_ID=23a9ab0f82de434496c353945dcf5919",
- "_MACHINE_ID=832249f87a0d447097d88407cb0c44e1",
- "_HOSTNAME=devbox\u0002",
- "_RUNTIME_SCOPE=system",
- "CODE_FILE=src/core/job.c\u0001",
- "CODE_LINE=796",
- "CODE_FUNC=job_emit_done_message",
- "JOB_TYPE=start",
- "JOB_RESULT=done",
- "MESSAGE_ID=39f53479d3a045ac8e11786248231fbf",
- "MESSAGE=Listening on dirmngr.socket - GnuPG network certificate management daemon.",
- "JOB_ID=17",
- "USER_INVOCATION_ID=267becdcaa904435a9c45537e3f82b0a",
- "USER_UNIT=dirmngr.socket\u0001",
- "_SOURCE_REALTIME_TIMESTAMP=1721375548561670"
- ]
+ "System": {
+ "Seq": 4846,
+ "Timestamp": "2024-07-19T07:52:28.561727Z",
+ "_TRANSPORT": "journal",
+ "_PID": 3137,
+ "_UID": 1000,
+ "_GID": 1000,
+ "_COMM": "systemd",
+ "_EXE": "/usr/lib/systemd/systemd",
+ "_CMDLINE": "/usr/lib/systemd/systemd --user",
+ "_CAP_EFFECTIVE": "800000000",
+ "_SELINUX_CONTEXT": "unconfined\n",
+ "_AUDIT_SESSION": 3,
+ "_AUDIT_LOGINUID": 1000,
+ "_SYSTEMD_CGROUP": "/user.slice/user-1000.slice/user@1000.service/init.scope",
+ "_SYSTEMD_OWNER_UID": "1000",
+ "_SYSTEMD_UNIT": "user@1000.service",
+ "_SYSTEMD_USER_UNIT": "init.scope",
+ "_SYSTEMD_SLICE": "user-1000.slice",
+ "_SYSTEMD_USER_SLICE": "-.slice",
+ "_BOOT_ID": "23a9ab0f82de434496c353945dcf5919",
+ "_MACHINE_ID": "832249f87a0d447097d88407cb0c44e1",
+ "_HOSTNAME": "devbox",
+ "_RUNTIME_SCOPE": "system",
+ "SOURCE_REALTIME_TIMESTAMP": "2024-07-19T07:52:28.56167Z"
+ },
+ "EventData": {
+ "PRIORITY": 6,
+ "SYSLOG_FACILITY": 3,
+ "TID": 3137,
+ "SYSLOG_IDENTIFIER": "systemd",
+ "CODE_FILE": "src/core/job.c",
+ "CODE_LINE": 796,
+ "CODE_FUNC": "job_emit_done_message",
+ "JOB_TYPE": "start",
+ "JOB_RESULT": "done",
+ "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf",
+ "MESSAGE": "Listening on dirmngr.socket - GnuPG network certificate management daemon.",
+ "JOB_ID": "17",
+ "USER_INVOCATION_ID": "267becdcaa904435a9c45537e3f82b0a",
+ "USER_UNIT": "dirmngr.socket"
+ },
+ "_Source": "Linux.Forensics.Journal"
}
]SELECT * FROM parse_journald(filename='/system.journal') LIMIT 2[
{
diff --git a/gui/velociraptor/package-lock.json b/gui/velociraptor/package-lock.json
index 3829ed640c0..3f625b192a6 100644
--- a/gui/velociraptor/package-lock.json
+++ b/gui/velociraptor/package-lock.json
@@ -11,14 +11,14 @@
"@babel/core": "^7.25.2",
"@babel/plugin-syntax-flow": "^7.24.7",
"@babel/plugin-transform-react-jsx": "^7.25.2",
- "@babel/runtime": "^7.25.4",
+ "@babel/runtime": "^7.25.6",
"@fortawesome/fontawesome-svg-core": "6.6.0",
"@fortawesome/free-regular-svg-icons": "6.6.0",
"@fortawesome/free-solid-svg-icons": "^6.6.0",
"@fortawesome/react-fontawesome": "0.2.2",
"@popperjs/core": "^2.11.8",
- "axios": "^1.7.5",
- "ace-builds": "^1.36.0",
+ "ace-builds": "^1.36.1",
+ "axios": ">=1.7.5",
"axios-retry": "3.9.1",
"bootstrap": "5.3.3",
"classnames": "^2.5.1",
@@ -80,7 +80,7 @@
"eslint-plugin-import": "^2.27.5",
"eslint-plugin-jsx-a11y": "^6.7.1",
"eslint-plugin-react": "^7.32.2",
- "vite": "^4.5.3",
+ "vite": "^4.5.5",
"vite-plugin-compression": "^0.5.1",
"vite-plugin-eslint": "1.8.1"
}
@@ -2081,9 +2081,9 @@
"dev": true
},
"node_modules/@babel/runtime": {
- "version": "7.25.4",
- "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.4.tgz",
- "integrity": "sha512-DSgLeL/FNcpXuzav5wfYvHCGvynXkJbn3Zvc3823AEe9nPwW9IK4UoCSS5yGymmQzN0pCPvivtgS6/8U2kkm1w==",
+ "version": "7.25.6",
+ "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.6.tgz",
+ "integrity": "sha512-VBj9MYyDb9tuLq7yzqjgzt6Q+IBQLrGZfdjOekyEirZPHxXWoTSGUTMrpsfi58Up73d13NfYLv8HT9vmznjzhQ==",
"license": "MIT",
"dependencies": {
"regenerator-runtime": "^0.14.0"
@@ -3715,9 +3715,9 @@
"integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
},
"node_modules/ace-builds": {
- "version": "1.36.0",
- "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.0.tgz",
- "integrity": "sha512-7to4F86V5N13EY4M9LWaGo2Wmr9iWe5CrYpc28F+/OyYCf7yd+xBV5x9v/GB73EBGGoYd89m6JjeIUjkL6Yw+w==",
+ "version": "1.36.1",
+ "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.1.tgz",
+ "integrity": "sha512-/Rngkz+KgR7GFF16zO3itstku3wezjp4PTqrev3QvGfEix+Ilzsgp6X/VFSaprH9Cqd36rwT8c6eXwMKVgc+Kg==",
"license": "BSD-3-Clause"
},
"node_modules/acorn": {
@@ -9566,9 +9566,9 @@
}
},
"node_modules/vite": {
- "version": "4.5.3",
- "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.3.tgz",
- "integrity": "sha512-kQL23kMeX92v3ph7IauVkXkikdDRsYMGTVl5KY2E9OY4ONLvkHf04MDTbnfo6NKxZiDLWzVpP5oTa8hQD8U3dg==",
+ "version": "4.5.5",
+ "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.5.tgz",
+ "integrity": "sha512-ifW3Lb2sMdX+WU91s3R0FyQlAyLxOzCSCP37ujw0+r5POeHPwe6udWVIElKQq8gk3t7b8rkmvqC6IHBpCff4GQ==",
"dev": true,
"dependencies": {
"esbuild": "^0.18.10",
@@ -11250,9 +11250,9 @@
"dev": true
},
"@babel/runtime": {
- "version": "7.25.4",
- "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.4.tgz",
- "integrity": "sha512-DSgLeL/FNcpXuzav5wfYvHCGvynXkJbn3Zvc3823AEe9nPwW9IK4UoCSS5yGymmQzN0pCPvivtgS6/8U2kkm1w==",
+ "version": "7.25.6",
+ "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.25.6.tgz",
+ "integrity": "sha512-VBj9MYyDb9tuLq7yzqjgzt6Q+IBQLrGZfdjOekyEirZPHxXWoTSGUTMrpsfi58Up73d13NfYLv8HT9vmznjzhQ==",
"requires": {
"regenerator-runtime": "^0.14.0"
}
@@ -12420,9 +12420,9 @@
"integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
},
"ace-builds": {
- "version": "1.36.0",
- "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.0.tgz",
- "integrity": "sha512-7to4F86V5N13EY4M9LWaGo2Wmr9iWe5CrYpc28F+/OyYCf7yd+xBV5x9v/GB73EBGGoYd89m6JjeIUjkL6Yw+w=="
+ "version": "1.36.1",
+ "resolved": "https://registry.npmjs.org/ace-builds/-/ace-builds-1.36.1.tgz",
+ "integrity": "sha512-/Rngkz+KgR7GFF16zO3itstku3wezjp4PTqrev3QvGfEix+Ilzsgp6X/VFSaprH9Cqd36rwT8c6eXwMKVgc+Kg=="
},
"acorn": {
"version": "8.8.2",
@@ -16728,9 +16728,9 @@
}
},
"vite": {
- "version": "4.5.3",
- "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.3.tgz",
- "integrity": "sha512-kQL23kMeX92v3ph7IauVkXkikdDRsYMGTVl5KY2E9OY4ONLvkHf04MDTbnfo6NKxZiDLWzVpP5oTa8hQD8U3dg==",
+ "version": "4.5.5",
+ "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.5.tgz",
+ "integrity": "sha512-ifW3Lb2sMdX+WU91s3R0FyQlAyLxOzCSCP37ujw0+r5POeHPwe6udWVIElKQq8gk3t7b8rkmvqC6IHBpCff4GQ==",
"dev": true,
"requires": {
"esbuild": "^0.18.10",
diff --git a/gui/velociraptor/package.json b/gui/velociraptor/package.json
index 14ef2ba84a7..d0b14b5779a 100644
--- a/gui/velociraptor/package.json
+++ b/gui/velociraptor/package.json
@@ -7,14 +7,14 @@
"@babel/core": "^7.25.2",
"@babel/plugin-syntax-flow": "^7.24.7",
"@babel/plugin-transform-react-jsx": "^7.25.2",
- "@babel/runtime": "^7.25.4",
+ "@babel/runtime": "^7.25.6",
"@fortawesome/fontawesome-svg-core": "6.6.0",
"@fortawesome/free-regular-svg-icons": "6.6.0",
"@fortawesome/free-solid-svg-icons": "^6.6.0",
"@fortawesome/react-fontawesome": "0.2.2",
"@popperjs/core": "^2.11.8",
"axios": ">=1.7.5",
- "ace-builds": "1.36.0",
+ "ace-builds": "1.36.1",
"axios-retry": "3.9.1",
"bootstrap": "5.3.3",
"classnames": "^2.5.1",
@@ -106,7 +106,7 @@
"eslint-plugin-import": "^2.27.5",
"eslint-plugin-jsx-a11y": "^6.7.1",
"eslint-plugin-react": "^7.32.2",
- "vite": "^4.5.3",
+ "vite": "^4.5.5",
"vite-plugin-compression": "^0.5.1",
"vite-plugin-eslint": "1.8.1"
}
diff --git a/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx b/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx
index 9fb467214fb..f66be7a7c24 100644
--- a/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx
+++ b/gui/velociraptor/src/components/notebooks/notebook-cell-renderer.jsx
@@ -528,7 +528,8 @@ export default class NotebookCellRenderer extends React.Component {
// it.
let filename = encodeURI(blob.name);
let url = encodeURI(response.data.url);
- if (/image/.test(response.mime_type)) {
+ let mime_type = response.data && response.data.mime_type;
+ if (/image/.test(mime_type || "")) {
this.state.ace.insert(
"\n;
}
diff --git a/services/notebook/notebook.go b/services/notebook/notebook.go
index c64e5eae21e..725e8020967 100644
--- a/services/notebook/notebook.go
+++ b/services/notebook/notebook.go
@@ -192,6 +192,8 @@ func (self *NotebookManager) UploadNotebookAttachment(
Filename: filename,
}
+ result.MimeType = utils.GetMimeString(decoded, utils.AutoDetectMime(true))
+
return result, nil
}
diff --git a/utils/mime.go b/utils/mime.go
new file mode 100644
index 00000000000..8fa6f760227
--- /dev/null
+++ b/utils/mime.go
@@ -0,0 +1,25 @@
+package utils
+
+import (
+ "bytes"
+ "strings"
+)
+
+type AutoDetectMime bool
+
+// Only handle the types we usually handle in the GUI
+func GetMimeString(buffer []byte, detect_mime AutoDetectMime) string {
+ if detect_mime && len(buffer) > 8 {
+ if 0 == bytes.Compare(
+ []byte("\x89\x50\x4E\x47\x0D\x0A\x1A\x0A"), buffer[:8]) {
+ return "image/png"
+ }
+
+ if len(buffer) > 20 && strings.HasPrefix(
+ strings.ToLower(string(buffer[:20])), `