search

omerbenamram / evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Apache License 2.0
687 stars 64 forks source link

<Event> never closed #7

Closed losynix closed 5 years ago

losynix commented 5 years ago

Hi ! Thank you for your work :)

I noticed that somehow the \<Event> tag is never closed:

$ cargo run -- --input samples/new-user-security.evtx
Record 1
<?xml version="1.0" encoding="utf-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-A5BA-3E3B0328C30D">
[...]
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">-</Data>
  </EventData>
Record 2
<?xml version="1.0" encoding="utf-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
[...]
    <Data Name="LogonHours">%%1797</Data>
  </EventData>
Record 3
<?xml version="1.0" encoding="utf-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
[...]
  </EventData>
Record 4
<?xml version="1.0" encoding="utf-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
[...]
  </EventData>

Shouldn't there be a \</Event> at the end of each record ?

Only gave a quick look at the code and it seems that the last call to visit_close_element (in src/xml_output.rs) returns because eof_reached is already true.

By the way, would you be interested in a json output or it's not in the scope of the project ?

omerbenamram commented 5 years ago

Hey! Thanks for taking a look :) When I was using this with python (via https://github.com/omerbenamram/pyevtx-rs/), it appears python was lax and didn't care about missing tag!

The issue should be fixed with https://github.com/omerbenamram/evtx/pull/8 (also added a text compare test)

BTW: I'm indeed interested in adding JSON output, I'll need to refactor the parser a bit, probably to flatten the information and feed it to serde, but it's the next thing on my TODO list.

losynix commented 5 years ago

Works great now thanks !

I'm indeed interested in adding JSON output, I'll need to refactor the parser a bit, probably to flatten the information and feed it to serde, but it's the next thing on my TODO list.

Cool, will keep an eye out for that. Thanks again for your work :)