evtx icon indicating copy to clipboard operation
evtx copied to clipboard

Published 20 hours ago verified publisher icon omerbenamram

tailing

Open dkhokhlov opened this issue 2 years ago • 2 comments

Is it possible to tail evtx files? using custom ReadSeek?

dkhokhlov avatar Sep 08 '22 18:09 dkhokhlov

It's technically possible using seek as you've mentioned. It's not implemented however by evtx_dump.

omerbenamram avatar Sep 11 '22 09:09 omerbenamram

it looks like chunks get reused. is it why evtx dumps records out of order? will the tailing need to traverse whole file to get last record?

dkhokhlov avatar Sep 11 '22 17:09 dkhokhlov