Stephen Jeffrey Hindmarch created NIFI-13332:
------------------------------------------------
Summary: NiFi ParseEVTX processor should support EVTX format
version 3.2
Key: NIFI-13332
URL: https://issues.apache.org/jira/browse/NIFI-13332
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 1.24.0
Environment: Docker
Reporter: Stephen Jeffrey Hindmarch
>From Windows 10 onwards the format for EVTX (compressed windows event logs)
>has been changed from version 3.1 to 3.2.
The ParseEVTX processor in NiFi parses these files to turn them into sets of
windows event logs in XML. However, EVTX logs extracted from a Windows 10
laptop will cause the processor to fail with this message.
{noformat}
ParseEvtx[id=c5eadd74-56b2-3763-b7d0-1274b905ce06] Processing failed:
org.apache.nifi.processor.exception.ProcessException: IOException thrown from
ParseEvtx[id=c5eadd74-56b2-3763-b7d0-1274b905ce06]: java.io.IOException:
Invalid minor version. Expected 1 got 2.
- Caused by: java.io.IOException: Invalid minor version. Expected 1 got
2.{noformat}
Also, the incoming flow file is stuck in the input queue instead of being
transferred to the failure queue.
As Windows 10 and 11 use this format, and I suspect Windows Server 2022 does
too, then this EVTX 3.2 will be quite mainstream soon and NiFi should support
it.
See [GitHub Project
libevtx|https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc]
for more detailed information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
