evtx icon indicating copy to clipboard operation
evtx copied to clipboard
verified publisher icon Velocidex

Add a generator exported function for events.

Open maximelb opened this issue 3 years ago • 2 comments

Provide an exported function to generate native (maps) Events through a channel instead of generating the whole file all at once.

This allows for more efficient processing of very large evtx file to stream JSON out.

The generator takes a file descriptor in to read the evtx, and returns a channel of event+error, a close function (to abort processing) and an error for the initial reading of the evtx file.

maximelb avatar Dec 18 '22 04:12 maximelb

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Dec 18 '22 04:12 CLAassistant

We are still parsing entire chunks at the time so it really doesn't make much difference for very large evtx files right?

Here is the corresponding code in Velociraptor https://github.com/Velocidex/velociraptor/blob/d62b72887b3b2364554cdba9645570b43c91f347/vql/parsers/event_logs/evtx.go#L103

I guess this is more of a convenience function but it wont make much difference to memory performance during parsing of large evtx files.

scudette avatar Dec 18 '22 09:12 scudette