The issue with sorting data, is that sometimes under 'EventData', the parameters are occasionally "Named" rather than just param1, param2, etc. If you try to fill in the sorted "named" variables, as opposed to the correct ordering, the message strings no longer make any sense.
For an example, here is the difference between between JSON and XML output for the same event:
JSON:
XML:
The way messages are stored and expected to be parsed is the same way they are stored in the raw data. For example, it will expect you to fill in the first parameter followed by the 4th parameter. The way JSON is currently returning data, all of the parameters will be out of order, and it will not be possible to fill in the event message data correctly.
When converting the objects to JSON here: https://github.com/omerbenamram/evtx/blob/master/src/evtx_record.rs#L101-L105
This serde_json function is sorting the results when returning the data. Serde_json has a feature to preserve the order and not sort data, mentioned here: https://docs.rs/serde_json/latest/serde_json/enum.Value.html#variant.Object
The issue with sorting data, is that sometimes under 'EventData', the parameters are occasionally "Named" rather than just param1, param2, etc. If you try to fill in the sorted "named" variables, as opposed to the correct ordering, the message strings no longer make any sense.
For an example, here is the difference between between JSON and XML output for the same event: JSON:
XML:
The way messages are stored and expected to be parsed is the same way they are stored in the raw data. For example, it will expect you to fill in the first parameter followed by the 4th parameter. The way JSON is currently returning data, all of the parameters will be out of order, and it will not be possible to fill in the event message data correctly.