Unable to create table - Githubissues

giacomoconti1978 commented 1 year ago

I'm new of Zircolite, but when I tty to use it, have this issues:

███████╗██╗██████╗  ██████╗ ██████╗ ██╗     ██╗████████╗███████╗
╚══███╔╝██║██╔══██╗██╔════╝██╔═══██╗██║     ██║╚══██╔══╝██╔════╝
  ███╔╝ ██║██████╔╝██║     ██║   ██║██║     ██║   ██║   █████╗
 ███╔╝  ██║██╔══██╗██║     ██║   ██║██║     ██║   ██║   ██╔══╝
███████╗██║██║  ██║╚██████╗╚██████╔╝███████╗██║   ██║   ███████╗
╚══════╝╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝   ╚═╝   ╚══════╝

-= Standalone SIGMA Detection tool for EVTX/Auditd/Sysmon Linux =-

[+] Checking prerequisites [+] Extracting events Using 'tmp-YIWJDQ4F' directory 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 161/161 [00:05<00:00, 28.50it/s] [+] Processing events 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 161/161 [00:14<00:00, 11.20it/s] [+] Creating model [-] Unable to create table

Why?

wagga40 commented 1 year ago

Hi, could you provide me :

the command line you typed
the version you used (python or packaged release, windows or linux, if linux musl or libc)
any environmental details that could help me understand your problem

Did you try with the option « —debug » and checked Zircolite.log ?

clausing commented 6 months ago

I know this was closed, but I ran into this today and not sure what to do with [-] too many columns on logs This was working on Windows EVTX logs

2024-03-26 15_23_56-sift-azure - SecureCRT

wagga40 commented 6 months ago

Hello, this typically indicates that your logs have too many fields, which turn into columns following the EVTX to SQLite conversion. By default, SQLite, which Zircolite uses as its backend, imposes a strict limit of 2000 columns (see details here). Altering this limit requires recompilation, a step not easily feasible as SQLite is accessed via the Python library in this context.

To avoid this you could :

if you give a lot of EVTX files to Zircolite, reduce the number of files
If you're working with a single, large EVTX file, consider splitting it. One method involves converting the EVTX file to JSONL using evtx_dump (found in Zircolite's bin directory), then dividing the JSONL file using any text file splitting tool, and finally using Zircolite's option to process JSON files

Please give me feedback if it works for you.

wagga40 / Zircolite

Unable to create table #59