qjerome
commented
2 years ago Hey @gFazzari !
So MonitorEvents is a pretty hacky and dirty way to get EVTX events. That was my solution when I did not know how to do otherwise. Going back to the same offset in the file is not an appropriate approach as EVTX files are rotating and after rotation older events appear at lower offsets. If you are interested into getting EVTX logs in real time I would advise you to get them via an EventProvider struct that you can find here: https://github.com/0xrawsec/golang-win32/blob/master/win32/wevtapi/helpers.go. You can find an example program here: https://github.com/0xrawsec/evtmon/blob/master/main.go. I don't think I implemented bookmarking though but it is pretty straightforward to do.
I hope it will helped.
gFazzari
Is there a way to use the function BackupSeeker on a file that I am currently monitor with MonitorEvents?
func evtx.BackupSeeker(seeker io.Seeker) int64
This function accepts an io.Seeker as first argument, but evtx.File doesn't implement the method Seek... Maybe I'm missing something or there's another way to achieve my goal: when I stop monitoring the file I'd like to save the offset and start from there the next time.