VMDK problem

I have a problem when I am using `target-query`, point it to  the test.vmx and used the webserver plugin, but then it seems that not all webserver logs of folder var/log/apache2 are processed.

This is the folder structure of the linux machine, the client provided to us:

```
-rwxrwxrwx 1 fabian fabian        1536 Sep 29 13:04 test-000001-ctk.vmdk
-rwxrwxrwx 1 fabian fabian        4096 Sep 29 13:04 test-000001-delta.vmdk
-rwxrwxrwx 1 fabian fabian         384 Sep 29 13:04 test-000001.vmdk
-rwxrwxrwx 1 fabian fabian     3277312 Sep 29 13:06 test_1-000001-ctk.vmdk
-rwxrwxrwx 1 fabian fabian   855744512 Sep 29 13:06 test_1-000001-delta.vmdk
-rwxrwxrwx 1 fabian fabian         394 Sep 29 13:06 test_1-000001.vmdk
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:04 test-10.scoreboard
-rwxrwxrwx 1 fabian fabian     3277312 Sep 29 13:06 test_1-ctk.vmdk
-rwxrwxrwx 1 fabian fabian          92 Sep 29 13:04 test-1d983985.hlog
-rwxrwxrwx 1 fabian fabian 53687091200 Sep 29 13:06 test_1-flat.vmdk
-rwxrwxrwx 1 fabian fabian        8192 Sep 29 13:04 test-1.scoreboard
-rwxrwxrwx 1 fabian fabian         615 Sep 29 13:06 test_1.vmdk
-rwxrwxrwx 1 fabian fabian        8192 Sep 29 13:04 test-2.scoreboard
-rwxrwxrwx 1 fabian fabian        8192 Sep 29 13:04 test-3.scoreboard
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:04 test-4.scoreboard
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:04 test-5.scoreboard
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:04 test-6.scoreboard
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:04 test-7.scoreboard
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:04 test-8.scoreboard
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:04 test-9.scoreboard
-rwxrwxrwx 1 fabian fabian          14 Sep 29 13:04 test-aux.xml
-rwxrwxrwx 1 fabian fabian        1536 Sep 29 13:04 test-ctk.vmdk
-rwxrwxrwx 1 fabian fabian    10485760 Sep 29 13:06 test-flat.vmdk
-rwxrwxrwx 1 fabian fabian        8684 Sep 29 13:06 test.nvram
-rwxrwxrwx 1 fabian fabian        7391 Sep 29 13:06 test.scoreboard
-rwxrwxrwx 1 fabian fabian  8589934592 Sep 29 13:04 test-Snapshot635.vmem
-rwxrwxrwx 1 fabian fabian     5691260 Sep 29 13:06 test-Snapshot635.vmsn
-rwxrwxrwx 1 fabian fabian         604 Sep 29 13:06 test.vmdk
-rwxrwxrwx 1 fabian fabian         554 Sep 29 13:06 test.vmsd
-rwxrwxrwx 1 fabian fabian       10330 Sep 29 13:06 test.vmx
-rwxrwxrwx 1 fabian fabian         150 Sep 29 13:06 test.vmxf
-rwxrwxrwx 1 fabian fabian     6653924 Sep 29 13:20 vmware-0.log
-rwxrwxrwx 1 fabian fabian     2048049 Sep 29 13:20 vmware-84.log
-rwxrwxrwx 1 fabian fabian     2048334 Sep 29 13:20 vmware-85.log
-rwxrwxrwx 1 fabian fabian      399099 Sep 29 13:20 vmware-86.log
-rwxrwxrwx 1 fabian fabian      351299 Sep 29 13:20 vmware-87.log
-rwxrwxrwx 1 fabian fabian      926014 Sep 29 13:20 vmware-88.log
-rwxrwxrwx 1 fabian fabian     1246535 Sep 29 13:20 vmware-89.log
-rwxrwxrwx 1 fabian fabian     1385734 Sep 29 13:20 vmware-90.log
-rwxrwxrwx 1 fabian fabian     2048108 Sep 29 13:20 vmware-91.log
-rwxrwxrwx 1 fabian fabian     2048395 Sep 29 13:20 vmware-92.log
-rwxrwxrwx 1 fabian fabian     2048397 Sep 29 13:20 vmware-93.log
-rwxrwxrwx 1 fabian fabian     1902396 Sep 29 13:20 vmware.log
-rwxrwxrwx 1 fabian fabian    83886080 Sep 29 13:20 vmx-test-997b821c1a4cfad7b32fe6360cf7d120367390335f26cbfd9ca71862cfa32560-2.vswp
```

I will try to explain the steps I have taken and what I found out so far.

At first I used the following command and got output:

```
target-mount test.vmx /mnt/test
INFO:root:Using fuse2 library: libfuse.so.2
WARNING:dissect.target.target:<Target belgrano.vmx>: Can't identify filesystem: <Volume name='part_00100000' size=9419776 fs=None>
WARNING:dissect.target.target:<Target belgrano.vmx>: Can't identify filesystem: <Volume name='vg0-swap_1' size=1073741824 fs=None>
WARNING:dissect.target.target:<Target belgrano.vmx>: Skipped FS type: swap, /dev/mapper/vg0-swap_1, none
WARNING:dissect.target.target:<Target belgrano.vmx>: Unsupported mount device: /dev/sr0 /media/cdrom0
WARNING:dissect.target.tools.mount:Using option 'allow_other' by default, please use '-o allow_other=False' to unset
```

Then I go to folder /mnt/test/fs/var/log/apache2 where webserver logs are located and I am listing the files of the directory:

```
ll
total 0
-rw-r----- 1 root adm       0 Mar 12  2019 access.log
-rw-r----- 1 root adm       0 Sep 26 00:00 error.log
-rw-r----- 1 root adm  804214 Sep 25 16:45 error.log.1.gz
-rw-r----- 1 root adm 1981116 Sep 25 00:00 error.log.2.gz
-rw-r----- 1 root adm 1832096 Sep 23 23:58 error.log.3.gz
-rw-r----- 1 root adm 2020556 Sep 22 23:57 error.log.4.gz
-rw-r----- 1 root adm 1945448 Sep 21 23:55 error.log.5.gz
-rw-r----- 1 root adm 1813791 Sep 20 23:59 error.log.6.gz
-rw-r----- 1 root adm 1708053 Sep 19 23:58 error.log.7.gz
-rw-r----- 1 root adm       0 Sep 26 00:00 other_vhosts_access.log
-rw-r----- 1 root adm  158417 Sep 25 16:45 other_vhosts_access.log.1.gz
-rw-r----- 1 root adm  199211 Sep 25 00:00 other_vhosts_access.log.2.gz
-rw-r----- 1 root adm  221742 Sep 23 23:58 other_vhosts_access.log.3.gz
-rw-r----- 1 root adm  235589 Sep 22 23:57 other_vhosts_access.log.4.gz
-rw-r----- 1 root adm  189942 Sep 21 23:55 other_vhosts_access.log.5.gz
-rw-r----- 1 root adm  172172 Sep 20 23:59 other_vhosts_access.log.6.gz
-rw-r----- 1 root adm  206651 Sep 19 23:59 other_vhosts_access.log.7.gz
```

But here is the first problem: I mount the test_1-flat.vmdk disk manually using losetup, mount, etc. and I know that error.log doesn't have the size of 0.
And if I i.e. use zcat to show file content of error.log.1.gz I get following error message:

```
zcat error.log.1.gz

gzip: error.log.1.gz: unexpected end of file
```

Because of this I also think that i.e. this file is not process by target-query and webserver plugin.
I also used the following command to see which webserver log files were process by target-query command and following output shows that not all of the files present were used:

```
target-query test.vmx -f webserver.logs -q | rdump -F source -C | sort -u
[reading from stdin]
source
/var/log/apache2/error.log.6.gz
/var/log/apache2/other_vhosts_access.log.6.gz
```

So only 2 of the available log files were used and these 2 are also the only ones I can open with zcat.

target-info command gives following information about the machine:

```
Disks
- <Disk type='vmdk' size=10485760>
- <Disk type='vmdk' size=53687091200>

Volumes
- <Volume name='part_00100000' size=9419776 fs=None>
- <Volume name=None size=53687091200 fs=None>
- <Volume name='vg0-root' size=9663676416 fs='ext'>
- <Volume name='vg0-var' size=37580963840 fs='ext'>
- <Volume name='vg0-tmp' size=1598029824 fs='ext'>
- <Volume name='vg0-var+log' size=3221225472 fs='ext'>
- <Volume name='vg0-swap_1' size=1073741824 fs=None>

Mounts
- <Mount fs='ext' path='/'>
- <Mount fs='ext' path='/var'>
- <Mount fs='ext' path='/var/log'>
- <Mount fs='ext' path='/$fs$/fs0'>
  ```

Some important content of test.vmx file:

```
ide1:0.fileName = "emptyBackingString"
scsi0:0.fileName = "test-000001.vmdk"
scsi0:1.fileName = "test_1-000001.vmdk"
```

Hope you are able to understand my problem. If not, I can give more information.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

VMDK problem #93

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

VMDK problem #93

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions