-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to evtx_dump_json.py #90
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would you please provide some test data and demonstrate how the script extracts further information? it would be best to add a test case, too, so we asset the script works well in the future after unrelated changes.
scripts/evtx_dump_json.py
Outdated
|
||
# Print the JSON object for the specific log if not requested to output to file | ||
if not args.output: | ||
print("Original") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think the output should be valid json, so it can be piped to jq, for example. so perhaps make these keys in a bigger dictionary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, that was part of my bug fix steps, will remove
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A good example of this is in the screenshot below. I missed out on key data like "EventID," "TimeCreated", and "Computer" using the old version since I only focused on the "EventRecordID" within the System portion of the Eventlog xml. The new version parses the entire System and EventData sections of the Eventlog xml now! The below screenshot has the old version on top and the new version below. |
Are you able to share that log file, or generate a similar one? |
Definitely, how would you like it? |
let's add it to |
added to tests/data! |
Is there a reason why the tests fail each time? Using that form of testing is new to me! |
Wow, it had been a bit since I looked at the testing code. I went through and made a bunch of fixes and enhancements. Now the tests should work well (they do in CI: https://github.com/williballenthin/python-evtx/actions/runs/9641798469). I hate to do this to you, but would you update this PR with the changes to master? Github may have a button for it above, or you can pull from master locally. I think the only conflicts should be around single vs double quotes. |
Definitely, I'll rebase locally and then put in a new PR |
fixed JSON dump to collect all necessary xml data from logs. Originally missing pivotal Sysmon data from within the System portion of Event XML data.