You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for writing this library, i think it will be very useful to me.
A minor nit however regarding evtxexport.
When you ask for xml output (-f xml) the output is not valid xml because
The first line contains the program name - this line should either be omitted or surrounded with XML comment ()
there is no 'root' tag surrounding the individual tags, say <Events>[<Event>]*</Events>
Wrt 'recovered' entries - the xml was just not valid e.g., missing end tag ()
changes for 1 requires moving the call to evtxoutput_version_fprint after argument processing so the export_format is known:
`if( evtxexport_export_handle->export_format == EXPORT_FORMAT_XML )
{
fprintf(stdout, "<!-- \n");
}
When you ask for xml output (-f xml) the output is not valid xml because
This is not the goal of the program to have a valid full XML document. The goal of the -f xml option is to provide output that is comparable to windows event log viewer xml output. You can easily write a small program around the library or Python binding to accomplish this if you need to.
Wrt 'recovered' entries - the xml was just not valid e.g., missing end tag ()
Another question, in the xml i see the following (in vim):
%%1537^M
%%1538^M
%%1539^M
%%7168^M
%%7169^M
%%7170^M
%%7171^M
%%7172^M
%%7173^M
Why the extra carriage return? The characters can be removed so they
really are there.
Or is this what is in the evtx bXML? Some list separator syntax? I don¹t
have a good C IDE environment to debug this; obviously i can simply remove
all carriage returns but they only show up for the AccessMask data values.
Thanks for writing this library, i think it will be very useful to me.
A minor nit however regarding evtxexport.
When you ask for xml output (-f xml) the output is not valid xml because
<Events>[<Event>]*</Events>
changes for 1 requires moving the call to evtxoutput_version_fprint after argument processing so the export_format is known:
`if( evtxexport_export_handle->export_format == EXPORT_FORMAT_XML )
{
fprintf(stdout, "<!-- \n");
}
if( evtxexport_export_handle->export_format == EXPORT_FORMAT_XML )
{
fprintf(stdout, "\n-->\n");
}`
changes for 2: are just a couple of additional fprintf s in export_handle.c
The text was updated successfully, but these errors were encountered: