Update to evtx_dump_json.py #90
Conversation
scripts/evtx_dump_json.py
Outdated
|
|
||
| # Print the JSON object for the specific log if not requested to output to file | ||
| if not args.output: | ||
| print("Original") |
There was a problem hiding this comment.
i think the output should be valid json, so it can be piped to jq, for example. so perhaps make these keys in a bigger dictionary.
There was a problem hiding this comment.
oops, that was part of my bug fix steps, will remove
There was a problem hiding this comment.
removed those statements in most recent commit and added functionality to pipe to jq
A good example of this is in the screenshot below. I missed out on key data like "EventID," "TimeCreated", and "Computer" using the old version since I only focused on the "EventRecordID" within the System portion of the Eventlog xml. The new version parses the entire System and EventData sections of the Eventlog xml now! The below screenshot has the old version on top and the new version below.
|
|
Are you able to share that log file, or generate a similar one? |
Definitely, how would you like it? |
|
let's add it to |
|
added to tests/data! |
|
Is there a reason why the tests fail each time? Using that form of testing is new to me! |
|
Wow, it had been a bit since I looked at the testing code. I went through and made a bunch of fixes and enhancements. Now the tests should work well (they do in CI: https://github.com/williballenthin/python-evtx/actions/runs/9641798469). I hate to do this to you, but would you update this PR with the changes to master? Github may have a button for it above, or you can pull from master locally. I think the only conflicts should be around single vs double quotes. |
|
Definitely, I'll rebase locally and then put in a new PR |
fixed JSON dump to collect all necessary xml data from logs. Originally missing pivotal Sysmon data from within the System portion of Event XML data.