Fix output manager copying tmp file#304
Conversation
* Ensure evidence is copied / paths fixed
11bce5f to
956fd9a
Compare
| result.log(msg) | ||
| log.warning(msg) | ||
| else: | ||
| new_path, _ = self.output_manager.save_local_file( |
There was a problem hiding this comment.
Hrm... not sure what the best solution is here. Since this returns the last path that was saved, if GCS was enabled, this could potentially get the GCS path instead of the local path. I'll have to take a closer look at this tomorrow, but we might need to refactor save_local_evidence() a bit more.
There was a problem hiding this comment.
Another byproduct of this is that it would potentially save files twice. I think I have a fix by updating save_evidence() and save_local_evidence() that I'll send you shortly.
There was a problem hiding this comment.
FYI, See #319 as a possible fix for this issue. FWIW I verified it by making sure that the Plaso run was writing to /tmp and the Psort run was operating on the evidence in the permanent output directory.
|
AFAIK, #319 should fix this issue. LMK if you think there is something that you think still needs to be addressed here, and if not we can probably close it. Sorry for clobbering this PR, but GitHub isn't very good at multi-line suggestions yet, I and I needed to change a different file as well. |
|
Taking comments to #319 |
While the plaso file is put into the tmp directory it is not copied to the original output folder after task execution. This fix handles that (and updates the local evidence path to the output directory). I'm not sure if there is a nicer way to determine if we used a tmp dir or not, instead of trying in every instance...
This is probably fine even for local runs, so evidence ends up in the expected place right? I'm not sure about side-effects for GCS since I'm not entirely clear on how that file copying happens.
Prior to fix:
After fix: