search

omerbenamram / evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Apache License 2.0
625 stars 61 forks source link

Provide public usable visitor interface #195

Closed janstarke closed 2 years ago

janstarke commented 3 years ago

A better approach then returning some general structure is to call a custom visitor while traversing an event record. This implementation provides an interface for this. One can use this to construct any structure, as needed. In detail, this visitor adapts an internal visitor and hides all internal types.

Usage example:

struct MySpecialEvtxDataStructure {}
struct MyVisitor {}
impl EvtxStructureVisitor for MyVisitor {
  type VisitorResult = Option<MySpecialEvtxDataStructure>;
  /* ... */
}
/* ... */
let records = parser.records_to_visitor(|| MyVisitor::new());

I used evtxgrep as PoC to see if everything works as desired, keep as much changes as possible outside of evtx

janstarke commented 3 years ago

I reimplemented evtxgrep based on this PR, to see if everything works as expected. I like the current approach :-)

janstarke commented 2 years ago

@omerbenamram @forensicmatt: I added an additional use case, which I needed during a project of mine: https://github.com/janstarke/evtx2bodyfile

This tools creates a bodyfile from Windows Event logs. I'm looking forward to positive feedback from you regarding this very PR.

Regards, Jan