CLAassistant
commented
1 year ago
All committers have signed the CLA.
Closed maximelb closed 3 months ago
CLAassistant
commented
1 year ago
All committers have signed the CLA.
scudette
commented
1 year ago We are still parsing entire chunks at the time so it really doesn't make much difference for very large evtx files right?
Here is the corresponding code in Velociraptor https://github.com/Velocidex/velociraptor/blob/d62b72887b3b2364554cdba9645570b43c91f347/vql/parsers/event_logs/evtx.go#L103
I guess this is more of a convenience function but it wont make much difference to memory performance during parsing of large evtx files.
Provide an exported function to generate native (maps) Events through a channel instead of generating the whole file all at once.
This allows for more efficient processing of very large evtx file to stream JSON out.
The generator takes a file descriptor in to read the evtx, and returns a channel of event+error, a close function (to abort processing) and an error for the initial reading of the evtx file.