DRAFT: MEGAsync parser

[hur]

One line description of pull request

Implements a parser for MEGAsync logs

Description:

Related issue (if applicable): fixes #4185

Notes:

All contributions to Plaso undergo code
review. This makes sure
that the code has appropriate test coverage and conforms to the Plaso style
guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

• Automated checks (Travis, Codecov, Codefactor )pass
• No new new dependencies are required or l2tdevtools has been updated
• Reviewer assigned

[hur]

MEGASync compresses rotated-out log files using the gzip format. the mtime timestamp in the gzip stream, however, is empty

making this approach not work. (and currently I just set the estimate to the current year in case of epoch timestamps)

I'm struggling a bit to find a good way to estimate the year of the log file in plaso, other than relying on --preferred-year.

I've considered some things like accessing the timestamps of the compressed file itself (should be accurate except for some edge cases, but also don't see that the APIs would allow for this currently).

[hur]

MEGASync logs are very verbose, so I currently only produce events for log lines that may be of forensic interest. If it's more desirable to produce events for every log entry, I can change this, but I recommend checking out the sample test file for context. (also here if the diff viewer wont show it)

Note that in an environment where MEGAsync ran for more than a few minutes, you will likely have 50 of those log files, totaling some ~4 million lines.

[joachimmetz]

I'm struggling a bit to find a good way to estimate the year of the log file in plaso, other than relying on --preferred-year.

Would need to dig into this first to give you useful advice. Will try to get back to you as soon as time permits.