Terraformed Timesketch deployment in GCP for homelab/ quick proof of concept environments.
This Terraform template and accompanying startup script will:
- Create a GCE VM w/ extra disk for more storage
- Install & run Timesketch collaborative timeline analysis application
- Install Timesketch CLI tool
- Install Plaso tools such as log2timeline.py
- Attach, format and mount disk to
/mnt/disks/data/
- (Optionally) Copy data from GCS bucket to
~/data/
folder
- Ensure Terraform and gcloud cli are installed and configured locally on the machine you are deploying from
- An existing GCP project
- A GCP service account with access to storage buckets within your project
- (Optional) A GCS bucket for artifact storage
- (Optional) Update the last line of
install-tools.sh
with your GCS bucket name that stores your forensic artifacts
- You have a GCP firewall rule in place to only allow your home IP to access GCE instances within project
- You will handle connecting to your instance via SSH (either via SSH-in-browser or via a local terminal, etc.)
- Clone this repository to your local machine
- Review the
variables.tf
file and update the default values as desired. In particular, you will be required to updateproject_id
andservice_account
to be specific to your GCP account. - From within the repository directory:
terraform init terraform apply
Here are final steps to follow before logging into Timesketch
- Validate that you can reach the instance by inputting
https://<your_gce_external_ip>
into your browser. You should see the login page. - Create the first Timesketch user
cd /opt/timesketch sudo docker compose exec timesketch-web tsctl create-user <USERNAME>
- (Optional) Configure the Timesketch CLI (useful for importing timelines from CLI).
timesketch config
# Follow the prompts, and use the suggested parameters as shown below No timesketch section in the config What is the value for <host_uri> (URL of the Timesketch server): https://localhost What is the value for <auth_mode> (Authentication mode, valid choices are: "userpass" (user/pass) or "oauth"): userpass What is the value for <username> (The username of the Timesketch user): <USERNAME defined with tsctl create-user> Password for user <USERNAME> [**]
- (Optional) Validate you can reach GCS storage bucket from your GCE instance with
gsutil ls
When you are ready to tear down your instance, run terraform destroy
.
Cannot access Timesketch login page via http
-
Check if containers are running
- SSH into the instance and run
sudo docker container list
. Check that you see all of the containers showing with an "Up" status.- If not, it's possible something went wrong with the startup script. To review the startup script logs, enter
sudo journalctl -u google-startup-scripts.service
. Proceed with troubleshooting from there.
- If not, it's possible something went wrong with the startup script. To review the startup script logs, enter
- SSH into the instance and run
-
If containers are running, you might need to create a firewall rule to allow access to your GCE instance from your external host IP.
- https://cloud.google.com/compute/docs/instances/startup-scripts/linux#viewing-output
- https://www.youtube.com/watch?v=K60_VvhgcNo&t=0s
- https://developer.hashicorp.com/terraform/language/values/locals
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_address#user-project-overrides
- https://developer.hashicorp.com/terraform/tutorials/aws-get-started/aws-variables
- https://developer.hashicorp.com/terraform/tutorials/configuration-language/variables