Change log path to /var/run/log to match modification made in fox-it#1509

Author: william-billaud

dissect/target/plugins/os/unix/esxi/esxi_log/__init__.py

@@ -54,23 +54,15 @@ def get_esxi_log_path(target: Target, logname: str) -> Iterator[Path]:
         - https://knowledge.broadcom.com/external/article/306962/location-of-esxi-log-files.html
     :return:
     """
-    # Depending on collection method, log are not always located at the same location
-    # In tech support logs are in /var/run/log
-    # In live collection in /scratch/log
-    # On live disk, symlink must have be made from os data
-    # We stop to the first existing folder with files to prevent duplicate
-    # /var/log usually contains only uncompressed log file, thus this entry is the last one checked
-    files_found = False
-    for log_location in ["/scratch/log", "/var/run/log", "/var/log"]:
-        if target.fs.path(log_location).exists():
-            for path in target.fs.path(log_location).glob(f"{logname}.*"):
-                try:
-                    yield path.resolve(strict=True)
-                    files_found = True
-                except FilesystemError as e:  # noqa PERF203
-                    target.info.warning("Fail to resolve path to %s : %s", path, str(e))
-        if files_found:
-            break
+    # Esxi/loaders should ensure that logs are symlinked to /var/run/log, as on a live ESXi hosts.
+    if (var_run_log := target.fs.path("/var/run/log")).exists():
+        print("HERE")
+        for path in var_run_log.glob(f"{logname}.*"):
+            try:
+                yield path.resolve(strict=True)
+            except FilesystemError as e:  # noqa PERF203
+                target.info.warning("Fail to resolve path to %s : %s", path, str(e))
+    return
 
 
 def yield_log_records(

tests/plugins/os/unix/esxi/esxi_log/test_auth.py

@@ -15,7 +15,7 @@
 def test_esxi_6_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi6"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi6/auth.log.gz")
-    fs_esxi.map_file("/var/log/auth.log.gz", data_file)
+    fs_esxi.map_file("/var/run/log/auth.log.gz", data_file)
 
     target_esxi.add_plugin(EsxiAuthPlugin)
 
@@ -33,13 +33,13 @@ def test_esxi_6_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> Non
     assert results[12].log_level is None
     assert results[12].pid == 2099486
     assert results[12].message == "Accepted keyboard-interactive/pam for root from 192.168.56.1 port 46932 ssh2"
-    assert results[12].source == "/var/log/auth.log.gz"
+    assert results[12].source == "/var/run/log/auth.log.gz"
 
 
 def test_esxi_7_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi7"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi7/auth.log.gz")
-    fs_esxi.map_file("/scratch/log/auth.log.gz", data_file)
+    fs_esxi.map_file("/var/run/log/auth.log.gz", data_file)
 
     target_esxi.add_plugin(EsxiAuthPlugin)
 
@@ -51,7 +51,7 @@ def test_esxi_7_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> Non
     assert results[0].log_level is None
     assert results[0].pid == 2102622
     assert results[0].message == "FIPS mode initialized"
-    assert results[0].source == "/scratch/log/auth.log.gz"
+    assert results[0].source == "/var/run/log/auth.log.gz"
 
     assert results[4].ts == dt("2024-12-06T10:58:46.944Z")
     assert results[4].application == "sshd"
@@ -62,7 +62,7 @@ def test_esxi_7_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> Non
         '`"&& mkdir "` echo /var/core/ansible-tmp-1733482726.6630323-32096-231798679827098 `" && '
         "echo ansible-tmp-1733482726.6630323-32096-231798679827098=\"'"
     )
-    assert results[4].source == "/scratch/log/auth.log.gz"
+    assert results[4].source == "/var/run/log/auth.log.gz"
 
 
 def test_esxi_9_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
@@ -71,7 +71,7 @@ def test_esxi_9_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> Non
     In ESXi8+, logs seems to be nearly empty/useless
     """
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi9/auth.log.gz")
-    fs_esxi.map_file("/scratch/log/auth.log.gz", data_file)
+    fs_esxi.map_file("/var/run/log/auth.log.gz", data_file)
 
     target_esxi.add_plugin(EsxiAuthPlugin)
 
@@ -83,4 +83,4 @@ def test_esxi_9_log_auth(target_esxi: Target, fs_esxi: VirtualFilesystem) -> Non
     assert results[0].log_level == "In(38)"
     assert results[0].pid == 132774
     assert results[0].message == "/etc/ssh/sshd_config line 14: Deprecated option fipsmode"
-    assert results[0].source == "/scratch/log/auth.log.gz"
+    assert results[0].source == "/var/run/log/auth.log.gz"

tests/plugins/os/unix/esxi/esxi_log/test_hostd.py

@@ -57,7 +57,7 @@ def test_esxi_6_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
 def test_esxi_7_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi 7"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi7/hostd.0.gz")
-    fs_esxi.map_file("/scratch/log/hostd.0.gz", data_file)
+    fs_esxi.map_file("/var/run/log/hostd.0.gz", data_file)
 
     target_esxi.add_plugin(HostdPlugin)
 
@@ -87,7 +87,7 @@ def test_esxi_7_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
     assert results[29].application == "hostd"
     assert results[29].log_level == "info"
     assert results[29].pid == 2100292
-    assert results[29].source == "/scratch/log/hostd.0.gz"
+    assert results[29].source == "/var/run/log/hostd.0.gz"
     assert (
         results[29].message
         == "VmkVprobSource::Post event: (vim.event.EventEx) {\n    key = 90,\n    chainId = -1,\n    createdTime = "
@@ -103,7 +103,7 @@ def test_esxi_7_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
 def test_esxi_8_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi 7"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi8/hostd.1.gz")
-    fs_esxi.map_file("/var/log/hostd.1.gz", data_file)
+    fs_esxi.map_file("/var/run/log/hostd.1.gz", data_file)
 
     target_esxi.add_plugin(HostdPlugin)
 
@@ -132,7 +132,7 @@ def test_esxi_8_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
 def test_esxi_9_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi 9"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi9/hostd.0.gz")
-    fs_esxi.map_file("/var/log/hostd.0.gz", data_file)
+    fs_esxi.map_file("/var/run/log/hostd.0.gz", data_file)
 
     target_esxi.add_plugin(HostdPlugin)
 
@@ -152,7 +152,7 @@ def test_esxi_9_log_hostd(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
     assert results[2377].application == "Hostd"
     assert results[2377].log_level == "Er(163)"
     assert results[2377].pid == 132123
-    assert results[2377].source == "/var/log/hostd.0.gz"
+    assert results[2377].source == "/var/run/log/hostd.0.gz"
     assert results[2377].message == (
         "Failed to load event type <EventType>\n"
         "                "

tests/plugins/os/unix/esxi/esxi_log/test_shell_log.py

@@ -15,7 +15,7 @@
 def test_esxi_6_log_shell(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi6"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi6/shell.log.gz")
-    fs_esxi.map_file("/var/log/shell.log.gz", data_file)
+    fs_esxi.map_file("/var/run/log/shell.log.gz", data_file)
 
     target_esxi.add_plugin(ShellLogPlugin)
 
@@ -35,13 +35,13 @@ def test_esxi_6_log_shell(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
     assert results[13].pid == 2099491
     assert results[13].message == "./uac --profile full -f zip ."
     assert results[13].user == "root"
-    assert results[13].source == "/var/log/shell.log.gz"
+    assert results[13].source == "/var/run/log/shell.log.gz"
 
 
 def test_esxi_7_log_shell(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi6"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi7/shell.log.gz")
-    fs_esxi.map_file("/var/log/shell.log.gz", data_file)
+    fs_esxi.map_file("/var/run/log/shell.log.gz", data_file)
 
     target_esxi.add_plugin(ShellLogPlugin)
 
@@ -66,7 +66,7 @@ def test_esxi_7_log_shell(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
 def test_esxi_8_log_shell(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi6"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi8/shell.log.gz")
-    fs_esxi.map_file("/var/log/shell.log.gz", data_file)
+    fs_esxi.map_file("/var/run/log/shell.log.gz", data_file)
 
     target_esxi.add_plugin(ShellLogPlugin)
 
@@ -109,7 +109,7 @@ def test_esxi_8_log_shell(target_esxi: Target, fs_esxi: VirtualFilesystem) -> No
 def test_esxi_9_log_shell(target_esxi: Target, fs_esxi: VirtualFilesystem) -> None:
     """Test with log from an ESXi6"""
     data_file = absolute_path("_data/plugins/os/unix/esxi/log/esxi9/shell.log.gz")
-    fs_esxi.map_file("/var/log/shell.log.gz", data_file)
+    fs_esxi.map_file("/var/run/log/shell.log.gz", data_file)
 
     target_esxi.add_plugin(ShellLogPlugin)