Custom Output Question #52
Comments
|
Hi @forensicmatt,
Regarding your use case, I'm not sure I fully understand the issue, why not transform the current output JSON to fit your liking? Is there any information you think is missing in the current representation? I could improve the JSON output if necessary. |
|
Here is one example: Mostly you have <EventRecordID>3948</EventRecordID>But there are also: <EventID Qualifiers="16384">9009</EventID>In JSON this is : "EventID": 10001,"EventID": {
"#attributes": {
"Qualifiers": 16384
},
"#text": 9009
},Because the value of EventID can be either a Number, or an Object, this prevents ingesting records into elastic. My first thought was instead of naming an Elements attributes with #attributes, to make it An example of what the json would look like: "EventID": 9009,
"EventID_attributes": {
"Qualifiers": 16384
}, |
Is this something that you would be open to making public and just stating that its not polished? If this was public I could just experiment with making my own Output right? |
|
I created a pull request for a solution that solves this issue without a performance hit: #53. |
I am wanting to create a custom output. Something very similar to evtx::json_output::JsonOutput, but I want to be able to tweak how the json is generated just a little bit to get around some hurdles of ingesting the json into Elastic. Is it possible in 0.4.1 to create a custom output structure that implements BinXmlOutput? My issue is that some of the required modules are not public (for example evtx::model::xml::XmlElement).
Thanks in advance for the help.
The text was updated successfully, but these errors were encountered: