error creating too many sqlite db columns

[Mal4ensics]

I input 370 evtx files from the system I am using in a real environment. In this case, a query that creates about 2000~3000 sqlite db columns is made, which causes an error. The sqlite db is limited to creating 2000 columns by default.

[wagga40]

Hi,

this is a limit that can be changed at compilation time so the sqlite Python module must be recompiled. I'm kinda stuck.

May be there are other ways to handle your 370 EVTX files to avoid having so much columns in the database :

• if your EVTX files come from different computers, may be you can execute Zircolite on a per computer basis ? (all EVTX related to one unique computer). It is possible to do it it parallel like this
• if your EVTX files come from WEC/WEF (aggregated EVTX), may be you can execute Zircolite on a per file basis like explained here
• if your EVTX files come from a single computer, not a lot of Sigma rules handle multiple log channels (Defender, Security, Application etc.) so may be you can execute Zircolite on a per file basis too ? (like in the previous example).

[Mal4ensics]

I input event logs generated by one system. Many systems seem to have more than 350 event logs these days.

I'm trying to use Zircolite with a tool called KAPE, so it seems hard other than to recompile.

I'll try to figure out how to recompile to create an exe file after removing the column limit.

Thank you for answer.

[wagga40]

I'll try to figure out how to recompile to create an exe file after removing the column limit.

I'm sorry I'm not very helpful. The sqlite Python module devs have kept the limit recommended by the sqlite developer.

I really recommend you to try to launch Zircolite separately on each EVTX files or on a bunch of files.

[Mal4ensics]

Thanks for your comments.

I created a new exe file that triggers Zircolite multiple times, so that it runs normally in KAPE as well.