text/apache_access warns about "Found a line preceeding match"

Question

text/apache_access warns about "Found a line preceeding match"

Closed this issue 6 months ago · 9 comments

Describe the problem:

The file is 10To big.
When i parse with any version of plaso, i have this error :
"2024-07-12 17:40:01,367 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,407 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,458 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,481 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,546 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:01,712 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,144 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,288 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,352 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,561 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,788 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,919 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.
2024-07-12 17:40:02,939 [DEBUG] (MainProcess) PID:279899 unable to parse string with error: Found a line preceeding match.".

Why ? Can you explain me. please.

Answer 1 · 2024-07-13T03:38:44.000Z

@AlexForensic this is not an "error" this is a warning that a particular file cannot be correctly parsed. Can you provide more details? (such as the ones requested in the github issue template)

Answer 2 · 2024-07-13T08:51:03.000Z

@joachimmetz this fils is access.log file extracted from debian 11. My command uses the parser "text".

Answer 3 · 2024-07-13T10:00:28.000Z

Unfortunately this is insufficient information for me do anything with this report.

Answer 4 · 2024-07-13T10:02:24.000Z

@joachimmetz ok sorry. What information do you require?

Answer 5 · 2024-07-13T10:12:26.000Z

Have a look at the issue template https://github.com/log2timeline/plaso/issues/new?assignees=&labels=&projects=&template=problem-report.md&title=

I also would need to have an example of the log lines that the warning applies to, so sharing a short section of the log that can reproduce the issue could be beneficial

Answer 6 · 2024-07-13T10:21:04.000Z

@joachimmetz

192.168.10.1 - - [27/Sep/2022:11:26:31 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 660 "https:///code/FicheClient/Bienvenue.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:26:31 +0200] "GET /server-status?auto HTTP/1.1" 200 1396 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:26:32 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 5197 "/code/FicheClient/Bienvenue.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:26:32 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:33 +0200] "GET /server-status?auto HTTP/1.1" 200 1389 "-" "-"
::1 - - [27/Sep/2022:11:26:34 +0200] "GET /server-status?auto HTTP/1.1" 200 1397 "-" "-"
::1 - - [27/Sep/2022:11:26:35 +0200] "GET /server-status?auto HTTP/1.1" 200 1394 "-" "-"
::1 - - [27/Sep/2022:11:26:36 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:37 +0200] "GET /server-status?auto HTTP/1.1" 200 1395 "-" "-"
::1 - - [27/Sep/2022:11:26:38 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:39 +0200] "GET /server-status?auto HTTP/1.1" 200 1394 "-" "-"
::1 - - [27/Sep/2022:11:26:40 +0200] "GET /server-status?auto HTTP/1.1" 200 1397 "-" "-"
::1 - - [27/Sep/2022:11:26:41 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:42 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:26:43 +0200] "GET /server-status?auto HTTP/1.1" 200 1396 "-" "-"
::1 - - [27/Sep/2022:11:26:44 +0200] "GET /server-status?auto HTTP/1.1" 200 1404 "-" "-"
::1 - - [27/Sep/2022:11:26:45 +0200] "GET /server-status?auto HTTP/1.1" 200 1405 "-" "-"
::1 - - [27/Sep/2022:11:26:46 +0200] "GET /server-status?auto HTTP/1.1" 200 1405 "-" "-"
::1 - - [27/Sep/2022:11:26:47 +0200] "GET /server-status?auto HTTP/1.1" 200 1402 "-" "-"
::1 - - [27/Sep/2022:11:26:48 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:49 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:50 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:51 +0200] "GET /server-status?auto HTTP/1.1" 200 1403 "-" "-"
::1 - - [27/Sep/2022:11:26:52 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:53 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:26:54 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:55 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:26:56 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 813 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:26:56 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:57 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:58 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:26:59 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:00 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:01 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:27:01 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 813 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:27:02 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:03 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:27:04 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:05 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:06 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:07 +0200] "GET /server-status?auto HTTP/1.1" 200 1404 "-" "-"
::1 - - [27/Sep/2022:11:27:08 +0200] "GET /server-status?auto HTTP/1.1" 200 1402 "-" "-"
::1 - - [27/Sep/2022:11:27:09 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
31.36.119.140 - - [27/Sep/2022:11:27:10 +0200] "GET /code/Chat/server.php HTTP/1.1" 200 813 "https://code/FicheClient/Bienvenue.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
::1 - - [27/Sep/2022:11:27:10 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:11 +0200] "GET /server-status?auto HTTP/1.1" 200 1408 "-" "-"
::1 - - [27/Sep/2022:11:27:12 +0200] "GET /server-status?auto HTTP/1.1" 200 1408 "-" "-"
::1 - - [27/Sep/2022:11:27:13 +0200] "GET /server-status?auto HTTP/1.1" 200 1402 "-" "-"
::1 - - [27/Sep/2022:11:27:14 +0200] "GET /server-status?auto HTTP/1.1" 200 1407 "-" "-"
::1 - - [27/Sep/2022:11:27:15 +0200] "GET /server-status?auto HTTP/1.1" 200 1404 "-" "-"
::1 - - [27/Sep/2022:11:27:16 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:17 +0200] "GET /server-status?auto HTTP/1.1" 200 1405 "-" "-"
::1 - - [27/Sep/2022:11:27:18 +0200] "GET /server-status?auto HTTP/1.1" 200 1398 "-" "-"
::1 - - [27/Sep/2022:11:27:19 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:20 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:21 +0200] "GET /server-status?auto HTTP/1.1" 200 1406 "-" "-"
::1 - - [27/Sep/2022:11:27:22 +0200] "GET /server-status?auto HTTP/1.1" 200 1371 "-" "-"
::1 - - [27/Sep/2022:11:27:23 +0200] "GET /server-status?auto HTTP/1.1" 200 1403 "-" "-"
::1 - - [27/Sep/2022:11:27:24 +0200] "GET /server-status?auto HTTP/1.1" 200 1409 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/hal42/index.html?module=demande_production HTTP/1.1" 200 7513 "https:/code/FicheClient/Bienvenue.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
::1 - - [27/Sep/2022:11:27:25 +0200] "GET /server-status?auto HTTP/1.1" 200 1408 "-" "-"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/S?id=11 HTTP/1.1" 200 723 "https://no-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/ProdGraph_TypeProduction HTTP/1.1" 200 622 "https://.no-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/enums/?url=enums&list=ProdGraphique HTTP/1.1" 200 39383 "https://.no-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"
192.168.10.1 - - [27/Sep/2022:11:27:25 +0200] "GET /code/api/ProdGraph_Magasin HTTP/1.1" 200 7844 "https://-ip.org:8181/code/hal42/index.html?module=demande_production" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0"

                                                                                                                                                                                                                                                                                                       70,88          0%

Answer 7 · 2024-07-13T10:24:19.000Z

Thanks I'll take a closer look when time permits

Answer 8 · 2024-07-15T04:53:53.000Z

@AlexForensic what version of Plaso are you running?

log2timeline.py --parsers=text/apache_access access.log on my test machine with HEAD does not generate any of the extraction warnings you mention. Are you sure these section of the log generates the warnings for you?

Answer 9 · 2024-10-06T02:29:02.000Z

No update form original reporter, closing. Reopen if/when additional information becomes available