Bug#705327: grokevt-parselog: support operation without a database
Tim
tim-forensics at sentinelchicken.org
Sat Apr 13 17:06:58 UTC 2013
Hi Paul,
Thanks for the suggestion. I'm the upstream developer. The issue
with event logs of any format is that you can't produce human readable
logs without a database of some kind. I think evtx files are even
worse in this sense. One could try to ship a database with the
software (which could have copyright issues), but this may produce
inaccurate output. The gist of it is, an evt or evtx file is not the
whole log. It doesn't contain all the information necessary to
convert to a reasonable format. No easy way around that.
Finally, grokevt doesn't currently support evtx at all. It would be
nice to add support, but I currently don't have the time to tackle it.
(I will definitely consider any patches you wish to submit. =) For
evtx, I recommend you take a look at Andreas Schuster's parser or
Willi Ballenthin's python module.
Good luck,
tim
On Sat, Apr 13, 2013 at 03:15:03PM +0800, Paul Wise wrote:
> Package: grokevt
> Version: 0.4.1-7
> Severity: wishlist
>
> grokevt-parselog requires a database, but I just received some
> standalone .evtx files that I want to dump and I don't have access to
> the Windows partition that they are from. It would be nice if grokevt
> could parse standalone .evtx files.
>
> --
> bye,
> pabs
>
> http://wiki.debian.org/PaulWise
> _______________________________________________
> forensics-devel mailing list
> forensics-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
More information about the forensics-devel
mailing list