Linux Parsers do not read Logs with Number at End + CSV Seperator Request #64
Comments
ok !
ok !
You are right I will remove any CSV reference. The template was not a good idea. |
|
Hello,
I will code something cleaner but you should already be able to do that by using
I have added an
Done (I think) |
|
Thanks I appreciate it!
I didn't even realise fileext could support wildcards. You learn something new every day. Probably would be better to handle it by default though since it is a very common occurrence on Linux and people may be confused by it only processing .log |
|
The current version with delimiter support is in the Usage : python3 zircolite.py -e ./logs/ -r rules.json --fileext 'evtx*' --csv --csv-delimiter "|"I think I will merge this week end. |
|
Everything should be ok in #65. Docs have been updated (I think :)) |
When running Zircolite on a Linux Triage Package it does not parse audit logs with a number at the end. An example of one that does work is audit.log. One that does not work is audit.log.1 however when you add .log to the end for example audit.log.1.log it does work.
Could you please add handling of .log.number files to this thanks.
For .csv files could you please add a command line argument to specify the delimiter. I like to have comma separated rather than semi-colon due to automatic parsing by spreadsheet software. Something like --delimiter comma
Additionally I noticed the documentation refers to a .csv template that no longer exists. I got confused when reading it just for your reference in case people try like me to use the csv template instead of --csv
The text was updated successfully, but these errors were encountered: