Failed 1: Invalid EVTX record header magic, expected `2a2a0000`, found `[ 0, 0, 0, 0]` - Line No. 21
I was able to reproduce the issue with another Sysmon Event Log file and found out that if the chunk header fields last_event_record_id as well as free_space_offset are greater than the actual number of records in the chunk, the parser fails with the aforementioned error. A sample output of parsing the Sysmon Event Log file provided by SANS in debug mode is shown below. Please note, that I added the output of the chunk header fields for debugging purposes.
14:38:58 [INFO] first_event_record_number - 188705
14:38:58 [INFO] last_event_record_number - 188775
14:38:58 [INFO] first_event_record_id - 188705
14:38:58 [INFO] last_event_record_id - 188775
14:38:58 [INFO] free_space_offset - 64568
14:38:58 [INFO] Initializing string cache
14:38:58 [INFO] Initializing template cache
14:38:58 [INFO] Record id - 188705
14:38:58 [DEBUG] (1) evtx::evtx_chunk: Record header - EvtxRecordHeader { data_size: 3000, event_record_id: 188705, timestamp: 2018-09-07T04:28:25.337132Z }
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 550 was not found in cache
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 2065 was not found in cache
14:38:58 [INFO] Record id - 188706
14:38:58 [DEBUG] (1) evtx::evtx_chunk: Record header - EvtxRecordHeader { data_size: 776, event_record_id: 188706, timestamp: 2018-09-07T04:29:02.596583Z }
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 550 was not found in cache
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 2065 was not found in cache
14:38:58 [INFO] Record id - 188707
14:38:58 [DEBUG] (1) evtx::evtx_chunk: Record header - EvtxRecordHeader { data_size: 744, event_record_id: 188707, timestamp: 2018-09-07T04:29:40.365998Z }
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 550 was not found in cache
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 2065 was not found in cache
14:38:58 [INFO] Record id - 188708
14:38:58 [DEBUG] (1) evtx::evtx_chunk: Record header - EvtxRecordHeader { data_size: 744, event_record_id: 188708, timestamp: 2018-09-07T04:30:58.380798Z }
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 550 was not found in cache
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 2065 was not found in cache
14:38:58 [INFO] Record id - 188709
14:38:58 [DEBUG] (1) evtx::evtx_chunk: Record header - EvtxRecordHeader { data_size: 744, event_record_id: 188709, timestamp: 2018-09-07T04:30:58.380798Z }
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 550 was not found in cache
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 2065 was not found in cache
14:38:58 [INFO] Record id - 188710
14:38:58 [DEBUG] (1) evtx::evtx_chunk: Record header - EvtxRecordHeader { data_size: 744, event_record_id: 188710, timestamp: 2018-09-07T04:30:58.380798Z }
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 550 was not found in cache
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 2065 was not found in cache
14:38:58 [INFO] Record id - 188711
14:38:58 [DEBUG] (1) evtx::evtx_chunk: Record header - EvtxRecordHeader { data_size: 744, event_record_id: 188711, timestamp: 2018-09-07T04:32:12.405200Z }
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 550 was not found in cache
14:38:58 [DEBUG] (1) evtx::binxml::assemble: Template in offset 2065 was not found in cache
Failed to dump the next record.
Caused by:
0: An error occurred while trying to deserialize evtx stream.
1: Invalid EVTX record header magic, expected `2a2a0000`, found `[ 0, 0, 0, 0]`
Within the source file evtx_chunk.rs this should be the code lines of interest.
From my point of view, the parser should not completely fail if chunk header fields are not set correctly. Instead, the parser should continue at least with the next chunk after an errorneous record could not be parsed.
Nevertheless, thank you for your excellent work and for providing this Event Log parser!
While trying to import Sysmon Event Logs provided by SANS in the Workshop "Cobalt Strike Detection with Event Log Analysis" (see https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395/) to Kuiper, I faced the following parsing error:
I was able to reproduce the issue with another Sysmon Event Log file and found out that if the chunk header fields
last_event_record_idas well asfree_space_offsetare greater than the actual number of records in the chunk, the parser fails with the aforementioned error. A sample output of parsing the Sysmon Event Log file provided by SANS in debug mode is shown below. Please note, that I added the output of the chunk header fields for debugging purposes.Within the source file
evtx_chunk.rsthis should be the code lines of interest.https://github.com/omerbenamram/evtx/blob/0950198ed6c0f2381b1fc0b79c1fa4d094f638f3/src/evtx_chunk.rs#L250-L258
From my point of view, the parser should not completely fail if chunk header fields are not set correctly. Instead, the parser should continue at least with the next chunk after an errorneous record could not be parsed.
Nevertheless, thank you for your excellent work and for providing this Event Log parser!