Problems running log2timeline on a base install

[karlvanderschyff]

Hi there
I have just done a base install of the SIFT appliance and when I run log2timeline from the command line I get the following error:

$ log2timeline.py
Traceback (most recent call last):
File "/usr/bin/log2timeline.py", line 11, in
from plaso.cli import log2timeline_tool
File "/usr/lib/python3/dist-packages/plaso/cli/log2timeline_tool.py", line 14, in
from plaso.cli import extraction_tool
File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 20, in
from plaso import parsers # pylint: disable=unused-import
File "/usr/lib/python3/dist-packages/plaso/parsers/init.py", line 63, in
from plaso.parsers import text_plugins
File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/init.py", line 4, in
from plaso.parsers.text_plugins import android_logcat
File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/android_logcat.py", line 78, in
class AndroidLogcatTextPlugin(
File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/android_logcat.py", line 87, in AndroidLogcatTextPlugin
_INTEGER = pyparsing.Word(pyparsing.nums).set_parse_action(
AttributeError: '_WordRegex' object has no attribute 'set_parse_action'. Did you mean: 'setParseAction'?

I tried to perform an update and upgrade to see if it helps and it stays the same. I have confirmed this on another install as well.

Any advice where I can start trying to solve this one?

[digitalsleuth]

Hi @karlvanderschyff , for the current issue you're experiencing you can run the following:
sudo python3 -m pip install "pyparsing>=3.0.0"

Once done, it should work again. We have a PR issued which will fix this for existing installs, but clean installs in the future won't have this issue.

Cheers!

[karlvanderschyff]

Thank very much @digitalsleuth. Worked 100%.

[joachimmetz]

Duplicate of #617

[bmmojo]

@digitalsleuth

Unfortunately, that fix doesn't work for me. I am currently using v0.14.30 (2024-05-06).

I've also tried upgrading pip like the output said but I get the same error when running psteal.py or log2timeline.py

$ sudo python3 -m pip install "pyparsing>=3.0.0"
[sudo] password for ######:
Requirement already satisfied: pyparsing>=3.0.0 in /usr/lib/python3/dist-packages (3.0.9)
WARNING: Keyring is skipped due to an exception: Failed to unlock the item!
WARNING: You are using pip version 21.0.1; however, version 24.0 is available.
You should consider upgrading via the '/usr/bin/python3 -m pip install --upgrade pip' command.

[digitalsleuth]

@bmmojo Were you running the base install using cast, or using the SIFT appliance?

[bmmojo]

@digitalsleuth cast install.

[digitalsleuth]

Hi @bmmojo , could you run the following and provide the output:
sudo python3 -m pip list
python3 -V (make note, that is a capital V, to determine the version)

[kennykim1]

@bmmojo I had a same error message as shown by you.
For me, I've tried a command below, it works.
$ python3 -m pip install "pyparsing>=3.0.0
Defaulting to user installation because normal site-packages is not writeable
Collecting pyparsing>=3.0.0
Downloading pyparsing-3.1.2-py3-none-any.whl.metadata (5.1 kB)
Downloading pyparsing-3.1.2-py3-none-any.whl (103 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 103.2/103.2 kB 1.5 MB/s eta 0:00:00
Installing collected packages: pyparsing
Attempting uninstall: pyparsing
Found existing installation: pyparsing 2.4.7
Uninstalling pyparsing-2.4.7:
Successfully uninstalled pyparsing-2.4.7

Seems like my system has old version of pyparsing 2.4.7. after uninstalling,
my log2timeline.py commands start to work.
$ log2timeline.py -h
usage: log2timeline.py

Hope it helps.

[bmmojo]

Sorry for the late reply!

@kennykim1 Your method worked.

@digitalsleuth
sudo python3 -m pip list: piplistoutput.txt
python3 -V: Python 3.10.12

[ekristen]

Is this still an issue?

[bmmojo]

@ekristen with kenny's fix it now works. So no.

[ekristen]

Good deal. We are working on the 24.04 update. We'll make sure to get this included there and backport to 22.04 if we can.