Closed Pinpwn closed 4 years ago
I am also having this issue.
Hi guys,
Thank you guys for reporting this issue. @Pinpwn sorry I failed to answer you in a decent delay. I found where the issue is, I will come with a fix soon.
Cheers,
I am confused on the solution here and think that this still needs more attention. I am parsing via evtxdump.exe
the event log located here.
The command I run is: evtxdump.exe security.evtx
. To test the new functionality out I chose Event.System.EventRecordID
== 2261. In Windows Event Viewer the timestamp for this record is: 2017-04-14T01:21:10.906949900Z
. However, from evtxdump stdout I can see that the record is being parsed as:
{"Event":{"EventData":{"PrivilegeList":"SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x000003e7","SubjectUserName":"SYSTEM","SubjectUserSid":"S-1-5-18"},"System":{"Channel":"Security","Computer":"WIN-03DLIIOFRRA","Correlation":{},"EventID":"4672","EventRecordID":"2261","Execution":{"ProcessID":"536","ThreadID":"624"},"Keywords":"0x8020000000000000","Level":"0","Opcode":"0","Provider":{"Guid":"54849625-5478-4994-A5BA-3E3B0328C30D","Name":"Microsoft-Windows-Security-Auditing"},"Security":{},"Task":"12548","TimeCreated":{"SystemTime":"2017-10-03T14:01:17.380369499Z"},"Version":"0"}}}
As we can see the Event.System.TimeCreated.SystemTime
is reporting 2017-10-03T14:01:17.380369499Z as a timestamp. There is a difference in the timestamps. Shouldn't they report the same timestamps?
@qjerome While using evtxdump to parse an .evtx file, the JSON of an event looks like:
The TimeCreated.SystemTime("2017-01-19T16:07:45Z") field has precision till seconds whereas the original events have a much better precision("2017-01-19T16:07:45.152350300Z").
I don't have much experience in golang and was hoping to get some pointers on how to get the same precision in the JSON as well.
Any help is highly appreciated.
Thanks.