Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add names of attributes to parsed EventData #95

Open
PsySuck opened this issue Feb 7, 2023 · 1 comment
Open

Add names of attributes to parsed EventData #95

PsySuck opened this issue Feb 7, 2023 · 1 comment

Comments

@PsySuck
Copy link

PsySuck commented Feb 7, 2023

Hi.
When parse_description is false, eventdata will be added to message, but only values.
Example:
"EventData":["2478079","2023-02-03","200","Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36+Edg/109.0.1518.78"]}
But in xml:
<EventData>
<Data Name="EnabledFieldsFlags">2478079</Data>
<Data Name="date">2023-02-07</Data>
<Data Name="sc-status">200</Data>
<Data Name="csUser-Agent">Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36</Data>
</EventData>
Is it possible to add name of attributes to parsed EventData?
"EventData":["EnabledFieldsFlags":"2478079","date":"2023-02-03","sc-status":"200","csUser-Agent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36+Edg/109.0.1518.78"]}

@daipom
Copy link
Contributor

daipom commented Jun 19, 2024

I see.
Looks like it is not possible now.
It looks like the library winevt_c does not have the feature:

https://github.com/fluent-plugins-nursery/winevt_c/blob/9dd9c81432b1e0180c7abc19de8415bb42db2e49/ext/winevt/winevt_utils.cpp#L172-L405

I'm not sure how to achieve this as a Win32 API in the first place.
It looks like there is no description of how to take the Data Name of the EventData (The result for EvtRenderContextUser).

If we figure out how to use the Win32 API for this, it would be possible to improve the library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants