CDQR does not parse Windows Event correctly to Kibana

orlikoski / CDQR

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices

GNU General Public License v3.0

334 stars 50 forks source link

CDQR does not parse Windows Event correctly to Kibana #57

Closed mrezqi closed 3 years ago

mrezqi commented 3 years ago

Hi, I tried to parse CyLR output using CDQR to Skadi. This was from a windows target machine. After parsing, it seems like windows event logs were not parsed completely.

The main column such as timestamp and event id were correct but the XML strings were left as it is in one giant column. Is this not supported yet in the current version?

davidrudduck commented 3 years ago

This is more to do with how Plaso (specifically psort) handles export to ElasticSearch and less to do with how CDQR works.

CDQR is really just an advanced wrapper script for log2timeline and psort (Plaso).

mrezqi commented 3 years ago

Thanks David, I'll close this issue and check with the log2timeline guys.