plaso: sccm parser very slow to process unsupported sccm log files (/Windows/CCM/Logs/*.log)
Description of problem:
Multiple workers hang with 100% CPU when using SCCM parser on log files in /windows/CCM/Logs/ directory.
Command line and arguments:
/usr/bin/python /usr/bin/log2timeline.py --single-process --debug /data/out.dump /mnt/Windows/CCM/Logs
Source data:
File has been sent to joachim via email
Plaso version:
20180630
Operating system Plaso is running on:
Arch Linux docker container
Installation method:
docker latest
Debug output/tracebacks:
2018-07-13 12:20:00,898 [DEBUG] (MainProcess) PID:8 <extractors> [ParseFileEntryWithParsers] parsing file: OS:/mnt/Windows/CCM/Logs/AssetAdvisor-20180115-090826.log with parser: pls_recall
2018-07-13 12:20:00,898 [DEBUG] (MainProcess) PID:8 <extractors> pls_recall unable to parse file: OS:/mnt/Windows/CCM/Logs/AssetAdvisor-20180115-090826.log with error: Verification of first record failed.
2018-07-13 12:20:00,898 [DEBUG] (MainProcess) PID:8 <extractors> [ParseFileEntryWithParsers] parsing file: OS:/mnt/Windows/CCM/Logs/AssetAdvisor-20180115-090826.log with parser: sccm
^C^C^C
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 17 (10 by maintainers)
Commits related to this issue
- Added support for 2 digit UTC offset to SCCM parser #2040 — committed to Onager/plaso by Onager 6 years ago
- Added support for 2 digit time zone offset in log files to SCCM parser #2040 — committed to log2timeline/plaso by Onager 6 years ago
Assigning to @joachimmetz since he has the files causing the issue.