Your message dated Sun, 14 Apr 2013 00:42:41 +0800
with message-id <1365871361.13793.261.camel@chianamo>
and subject line Re: Bug#705327: grokevt-parselog: support operation without a
database
has caused the Debian Bug report #705327,
regarding grokevt-parselog: support operation without a database
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
705327: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705327
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: grokevt
Version: 0.4.1-7
Severity: wishlist
grokevt-parselog requires a database, but I just received some
standalone .evtx files that I want to dump and I don't have access to
the Windows partition that they are from. It would be nice if grokevt
could parse standalone .evtx files.
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
On Sat, 2013-04-13 at 10:06 -0700, Tim wrote:
> Thanks for the suggestion. I'm the upstream developer. The issue
> with event logs of any format is that you can't produce human readable
> logs without a database of some kind. I think evtx files are even
> worse in this sense. One could try to ship a database with the
> software (which could have copyright issues), but this may produce
> inaccurate output. The gist of it is, an evt or evtx file is not the
> whole log. It doesn't contain all the information necessary to
> convert to a reasonable format. No easy way around that.
Ok, thanks for the info, closing the bug then.
> Finally, grokevt doesn't currently support evtx at all. It would be
> nice to add support, but I currently don't have the time to tackle it.
> (I will definitely consider any patches you wish to submit. =) For
> evtx, I recommend you take a look at Andreas Schuster's parser or
> Willi Ballenthin's python module.
Thanks for the pointers.
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
_______________________________________________
forensics-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
