Open thinrope opened 8 years ago
Is this supposed to be working in Windows (sorry, no testing win environment)?
Should work in both Windows and Linux
I guess one way is to add option to replace envvars like %SystemRoot%
Not sure why you guess that but %SystemRoot% should b expanded by evtxexport: https://github.com/libyal/libevtx/blob/9bd9432278f8226be1f1d5df81b51950804875fa/evtxtools/message_handle.c#L967
Any indication to why Unable to export record: 0.
is reported?
OK, I did some more testing, and managed to make it work better. I recompiled libevtx with verbose/debug messages and here is (the non-verbose) STDERR for the above command:
resource_file_get_provider: invalid resource file.
message_handle_get_resource_file_by_provider_identifier: unable to retrieve provider.
export_handle_export_record_event_message: unable to retrieve resource file.
export_handle_export_record_text: unable to export event message.
export_handle_export_record: unable to export record in text.
export_handle_export_records: unable to export record: 0.
I later fixed the value for search PATH to point to the C-root -p "mnt/host/C"
and I got better result:
Event number : 1
Written time : MASKED
Event level : Information (4)
User security identifier : S-1-5-18
Computer name : MASKED
Provider identifier : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name : Microsoft-Windows-Application-Experience
Event identifier : 0x000002bd (701)
Resource filename : %SystemRoot%\system32\aeevts.dll
Message filename : %SystemRoot%\system32\aeevts.dll
Message identifier : 0xb00002bd
Number of strings : 0
Event number : 2
....
That Number of strings: 0
bothers me... looking at the -f xml
output it is just <EventData/>
. Looking back I might have selected a bad (edge case) candidate evtx file for testing...
Or may be I still don't understand the usage, sorry. Is there a way to include the parsed/substituted message string, e.g. https://github.com/libyal/libevtx/blame/master/documentation/Windows%20XML%20Event%20Log%20%28EVTX%29.asciidoc#L1414 in the fml output?
in the fml output?
If by fml you mean XML, no.
Number of strings
I need to double check but the message string should be still printed if there are no strings.
Yes, sorry for the typo :-|
I was hoping for something along <message_string>bla bla</message/string>
in the XML, but I should be able to parse the -f text
output and add to -f xml
when that is needed.
I confirmed that -f text
prints correctly the expanded Message string
when parsing Security.evtx even when Numebr of strings:0
(e.g. for eventID: 408).
Same command, same server does not print any Message string
for the Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx when there are strings (eventID: 500) or there are zero strings (eventID: 701), for example:
....
Event number : 9
Written time : MASKED
Event level : Information (4)
User security identifier : S-1-5-18
Computer name : MASKED
Provider identifier : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name : Microsoft-Windows-Application-Experience
Event identifier : 0x000002bd (701)
Resource filename : %SystemRoot%\system32\aeevts.dll
Message filename : %SystemRoot%\system32\aeevts.dll
Message identifier : 0xb00002bd
Number of strings : 0
Event number : 10
Written time : MASKED
Event level : Information (4)
User security identifier : MASKED
Computer name : MASKED
Provider identifier : {EEF54E71-0661-422D-9A98-82FD4940B820}
Source name : Microsoft-Windows-Application-Experience
Event identifier : 0x000001f4 (500)
Resource filename : %SystemRoot%\system32\aeevts.dll
Message filename : %SystemRoot%\system32\aeevts.dll
Message identifier : 0xb00001f4
Number of strings : 6
String: 1 : 60
String: 2 : MASKED
String: 3 : MASKED
String: 4 : 0x00010101
String: 5 : MASKED-fullfile-ja-jp.exe
String: 6 : Service Pack
Event number : 11
....
I have been poking at the code, trying to parse various EVTX logs, using latest github releases. Works very good for the 4 standard logs, compiles as static, GREAT!
The one thing that stumbled me is using resource providers. I couldn't figure a way to point evtxexport to the right path of the (dll in this case) provider.
I am trying to parse "Microsoft-Windows-Application-Experience/Program-Telemetry.evtx" from a mounted image of Win2008(ja) server, mounted under mnt/host/C
The (head) of the result being:
What can be a proper way to handle the
%SystemRoot%
and/or the whole path to the resource, in this casemnt/host/C/Windows/System32/aeevts.dll
? Is this supposed to be working in Windows (sorry, no testing win environment)?I guess one way is to add option to replace envvars like
%SystemRoot%
, or just take the filename and append to-p resource_files_path
provided path.