docker_zircolite/start.sh

#!/bin/sh
#check if folder was mounted under /data
if [[ ! -d /data ]] ; then
    echo "[!] No Folder was mounted to /data"
    echo "[=] Make sure a folder containig the Windows Logs (evtx) is mounted. Example:"
    echo "[=]"
    echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
    exit 1
fi

#check which destination is writeable /data or /output
if [[ ! -f /output/notmounted ]] && [[ -w /output ]] ; then
    echo "[!] Output folder was mounted and is writeable"
    echo "[>] Using /output as destination for report"
    output="/output"
else
    if [[ -w /data ]] ; then
        echo "[!] Mounted folder /data can be written"
        echo "[>] Using /data as destination for report"
        output="/data"
    else
        echo "[!] No writeable output folder available"
        echo "[=] Make sure either the folder mounted under /data is writable ..."
        echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/zircolite"
        echo "[=] ... or mount a writable folder to /output"
        echo "[>] # docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/zircolite"
        exit 1
    fi
fi

#set output-destination
outputf="${output}/zircolite_$(date +%s)"
echo "output is goint to : ${outputf}"

# --evtx <data dir> ; -o <json output> ; -l <logfile> ; -c <field mappings>.
# Older start.sh passed -t <tmpdir>, but in current zircolite -t means
# --template (Jinja2) which expects --templateOutput as well. Tmp is no
# longer user-controllable so we drop it.
/opt/zircolite/venv/bin/python /opt/zircolite/zircolite.py \
  --evtx /data \
  --rules /opt/zircolite/rules/rules_windows_generic.json \
  -c /opt/zircolite/config/fieldMappings.yaml \
  -o "${outputf}.json" \
  -l "${outputf}.log"