omerbenamram
commented
4 years ago Hi,
The purpose of the cli tool is to parse event logs as close to the source as possible.
I suggest you combine this with an additional tool such as jq, or write a simple python script.
What you've ask for can be done with a one-liner in jq.
cargo run --release .\samples\security.evtx -o jsonl | jq -r 'walk(if type == "object" then with_entries(.key|=ascii_downcase) else . end)'
Results in output like:
andurin
Hi,
I recently came across your evtx parser and was really impressed by it's speed. Thank you for your efforts.
In one of my use cases I would like to import the resulting json files to elasticsearch via logstash to work with some logstash filter to make them "ECS" (Elastic Common naming scheme) compliant. One of their rules are lowercase field names. Logstash has a nice json parser but it's not the best point to lowercase all potential keys in a json structure.
Therefor I would like to ask, if there is a chance to get another cli argument a la "lowercase all json keys"?