Before you begin, start by prepapring nsrllookup. This commando will take a while.
docker-compose -f settings/svr/docker-compose-prepare.yml up svr-prepare &&
docker-compose -f settings/svr/docker-compose-prepare.yml rm -fsvTo download and start all services, do:
docker-compose upThis will bring everything up. Note that the Plaso container does not have a proper run command, so it will immediately stop. It's only in the docker-compose definition in order to be downloaded.
Also note that it takes a while for the nsrllookup service to start.
To set the passwords for the Elasticsearch cluster, run:
docker exec -it plaso-es ./bin/elasticsearch-setup-passwords interactiveThen change the password in settings/kibana/kibana.yml to the appropriate password. Restart the Kibana container:
docker-compose restart kibanaExtract data, including hashes, from testdata/evidences/.
docker run -v ${pwd}/testdata/:/data log2timeline/plaso log2timeline --hashers all /data/evidences.plaso /data/evidencesEnrich the data with data from nsrlsvr.
docker run --network plest_default -v ${pwd}/testdata/:/data log2timeline/plaso psort --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host svr --nsrlsvr-port 9120 -o null /data/evidences.plasoSend the data to Elasticsearch.
docker run --network=plest_default -v ${pwd}/testdata:/data -v ${pwd}/settings/plaso/elasticsearch.mappings:/home/plaso/data/elasticsearch.mappings log2timeline/plaso psort -o elastic --server elasticsearch --index_name psort /data/evidences.plasoWrite the data to timeline.log. Use -o elasticsearch to output data to Elasticsearch instead.
docker run -v ${pwd}/testdata/:/data log2timeline/plaso psort -w /data/timeline.log /data/evidences.plasoTo drop into a shell at the Plaso container, run:
docker run -v ./testdata/:/data --entrypoint=/bin/bash --network plest_default -it log2timeline/plasoNSRLlookup is based on nsrllookup by cybagard.
Copyright (c) 2020 cybagard