search

libyal / libevtx

Library and tools to access the Windows XML Event Log (EVTX) format
GNU Lesser General Public License v3.0
188 stars 49 forks source link

Unable to export file #10

Closed patatetom closed 3 years ago

patatetom commented 7 years ago

hi Joachim,

I encounter the above mentioned error by trying to export the contents of the evtx file Microsoft-Windows-Ntfs%4Operational.evtx with evtxexport :

Unable to export file.
libfwevt_xml_document_substitute_template_value: invalid template value size value out of bounds.
libfwevt_xml_document_read_normal_substitution: unable to substitute template value.
libfwevt_xml_document_read_element: unable to read normal substitution.
libfwevt_xml_document_read_element: unable to read element.
libfwevt_xml_document_read_template_instance: unable to read element.
libfwevt_xml_document_substitute_template_value: unable to read document template instance.
libfwevt_xml_document_read_optional_substitution: unable to substitute template value.
libfwevt_xml_document_read_element: unable to read optional substitution.
libfwevt_xml_document_read_template_instance: unable to read element.
libfwevt_xml_document_read_fragment: unable to read document template instance.
libfwevt_xml_document_read_with_template_values: unable to read fragment header.
libfwevt_xml_document_read: unable to read XML document.
libevtx_record_values_read_xml_document: unable to read binary XML document.
libevtx_io_handle_read_chunk: unable to read record values XML document.
libfdata_list_get_element_value: unable to read element data at offset: 0x00005138.
libfdata_list_get_element_value_by_index: unable to retrieve element value.
libevtx_file_get_record: unable to retrieve record values: 13.
export_handle_export_records: unable to retrieve record: 13.
export_handle_export_file: unable to export records.

my python script based on libevtx with pyevtx also fails with same error :

Traceback (most recent call last):
  File "/usr/local/bin/evtx2tsv", line 110, in <module>
    dump_records(evtx.records)
  File "/usr/local/bin/evtx2tsv", line 97, in dump_records
    for record in records:
OSError: pyevtx_file_get_record_by_index: unable to retrieve record: 13. libfwevt_xml_document_substitute_template_value: invalid template value size value out of bounds. libfwevt_xml_document_read_normal_substitution: unable to substitute template value. libfwevt_xml_document_read_element: unable to read normal substitution. libfwevt_xml_document_read_element: unable to read element. libfwevt_xml_document_read_template_instance: unable to read element. libfwevt_xml_document_substitute_template_value: unable to read document template instance. libfwevt_xml_document_read_optional_substitution: unable to substitute template value. libfwevt_xml_document_read_element: unable to read optional substitution. libfwevt_xml_document_read_template_instance: unable to read element. libfwevt_xml_document_read_fragment: unable to read document template instance. libfwevt_xml_document_read_with_template_values: unable to read fragment header. libfwevt_xml_document_read: unable to read XML document. libevtx_record_values_read_xml_document: unable to read binary XML document. libevtx_io_handle_read_chunk: unable to read record values XML document. libfdata_list_get_element_value: unable to read element data at offset: 0x00005138. libfdata_list_get_element_value_by_index: unable to retrieve element value. libevtx_file_get_record: unable to retrieve record values: 13.

the evtx file Microsoft-Windows-Ntfs%4Operational.evtx does not appear corrupted because it is correctly exported from Windows : if you wish, I can send you the exported and the original evtx file...

regards, lacsaP.

joachimmetz commented 7 years ago

if you wish, I can send you the exported and the original evtx file...

yes please, the error indicates unsupported format. The file or a debug log could tell me more about this.

libfwevt_xml_document_substitute_template_value: invalid template value size value out of bounds.
joachimmetz commented 3 years ago

No updates, closing issue.