Update to evtx_dump_json.py

[ajread4]

fixed JSON dump to collect all necessary xml data from logs. Originally missing pivotal Sysmon data from within the System portion of Event XML data.

[ajread4]

would you please provide some test data and demonstrate how the script extracts further information? it would be best to add a test case, too, so we asset the script works well in the future after unrelated changes.

A good example of this is in the screenshot below. I missed out on key data like "EventID," "TimeCreated", and "Computer" using the old version since I only focused on the "EventRecordID" within the System portion of the Eventlog xml. The new version parses the entire System and EventData sections of the Eventlog xml now!

The below screenshot has the old version on top and the new version below.

[williballenthin]

Are you able to share that log file, or generate a similar one?

[ajread4]

Are you able to share that log file, or generate a similar one?

Definitely, how would you like it?

[williballenthin]

let's add it to tests/data and we can reference it from a test.

[ajread4]

added to tests/data!

[ajread4]

Is there a reason why the tests fail each time? Using that form of testing is new to me!

[williballenthin]

Wow, it had been a bit since I looked at the testing code. I went through and made a bunch of fixes and enhancements. Now the tests should work well (they do in CI: https://github.com/williballenthin/python-evtx/actions/runs/9641798469).

I hate to do this to you, but would you update this PR with the changes to master? Github may have a button for it above, or you can pull from master locally. I think the only conflicts should be around single vs double quotes.

[ajread4]

Definitely, I'll rebase locally and then put in a new PR