Closed GoogleCodeExporter closed 9 years ago
This should be "fixed" now. The error really lies in the EVTX library, since it
does not properly decode the value. And then the XML library in Perl croaks on
the output, and displays it in a wrong format.
The "fix" is simply a check (try/catch) to see if this condition comes up, and
then return an error for that particular entry instead of the entire file, so
we can continue and parse the file and get the rest of the entries.
Since I don't have the file I need you to test this for me (the latest version
in the repo should have the fix and the next release too).
Marking this as "fixed", but not done yet, since it hasn't been tested and
fully verified.
Original comment by ki...@kiddaland.net
on 19 Sep 2012 at 4:08
Kristinn,
Thanks for the fix - it properly parsed the entire file this time, just skipping that one entry.
I was able to complete my timeline using MS LogParser to build a csv output in l2t format, then inject it into my original timeline. I actually kind of like that custom output a hair better than the default evtx input module output, if you are interested in taking a look - I could send the query.
Anyway, thanks again for your great support to the community with l2t!
Original comment by andrew.h...@gmail.com
on 19 Sep 2012 at 12:35
OK, great good to hear that it is done.
Yes, I am always open for new ways of presenting the data. Whether that is just
to show me the output using this method or the script itself.
Original comment by ki...@kiddaland.net
on 19 Sep 2012 at 6:06
What is the expected output? What do you see instead?
0.64 on Ubuntu and replicated error on Windows with Active Perl