ForwardedEvents.evtx - Evtxecmd.exe processing errors #15
Comments
|
so is this just one log that fails, or all forwarded events fail? |
|
Eric
Thanks for getting back!
The file that I provided is an exemplar... The evtxecmd.exe utility is failing on _all_ the ForwardedEvents.evtx logs on my WEC server...
I can send other example ForwardedEvents.evtx logs that have been rolled, if you would like.
Dave C.
…---------- Original Message ----------
From: Eric <[email protected]>
Date: November 20, 2019 at 11:57 AM
so is this just one log that fails, or all forwarded events fail?
—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
ok i see what is going on. there are no templates defined for the log. ill add support for this situation asap. first time seeing it |
|
i would love more sample files for my unit tests tho |
|
Eric: |
|
I'm rolling the logs at 4 Gb... This one was half full when I grabbed it. Let me know if you would like any more exemplar files. |
|
downloading |
|
Hello, I believe that I am having the same issue. I have Forwarded event logs from a lab environment. The EVTX file is about 2GB. I am also seeing the error on every event in the ForwardeEvents.evtx file. Do you need additional sample logs? FYI - just downloaded what I believe is the most current version , 0.6.0.0, dated 2/6/2020 and I am still seeing this error. Thanks for all the amazing tools! Robert |
|
Hi Eric, Firstly, thanks for making your tools available. Secondly, I have just encountered this issue when trying to process a 10GB ForwardedEvents.evtx file from a WEC Server. Thinking it was down to the file size I managed to create a smaller evtx file (2MB), using wevtutil, from the 10GB file which contained just the event ID I was initially after; but that has the same issue. Debug Output: EvtxECmd version 0.6.5.0 Author: Eric Zimmerman ([email protected]) Command line: -f c:\path_to_evtx\test2.evtx --csv E:\WorkingFiles\SOURCE_SERVER_FWD_ONLY --csvf SOURCE_SERVER_FWD_1101_Only.csv --debug Warning: Administrator privileges not found! CSV output will be saved to 'E:\WorkingFiles\SOURCE_SERVER_FWD_1101_Only.csv' Loading maps from 'C:\Utils\EricZimmerman\EvtxECmd\Maps' ... 'Windows-PowerShell_PowerShell_400.map' is valid. Adding to maps... Processing 'c:\path_to_evtx\test2.evtx'... ... Record error at offset 0x11200, record #: 38 error: Specified argument was out of the range of valid values. ... Parameter name: startIndex Event log details Records included: 0 Errors: 853 Events dropped: 0 Errors ... Record #850: Error: Index was out of range. Must be non-negative and less than the size of the collection. Processed 1 file in 1.2681 seconds Files with errors Other than the actual evtx file (which I dont think I can give you due to the data it contains) , is there anything else I can provide to help you resolve this issue ? Thanks again Paul |
|
I've seen this before with forwarded events. I'd need some sample logs so I can debug it tho |
Hi Eric, I have emailed you a sample. I hope it helps. |
|
Ok great. I'll take a look asap |
|
Eric Here are the initial error messages. Please note that nothing is being written to the output file. PS C:\bin\EvtxECmd> .\EvtxECmd.exe -f "d:\test\Archive-ForwardedEvents-2024-03-19-18-36-47-754.evtx" --csv "c:\test\wec_wef" --csvf wec_wef.csv Author: Eric Zimmerman ([email protected]) Command line: -f d:\test\Archive-ForwardedEvents-2024-03-19-18-36-47-754.evtx --csv c:\test\wec_wef --csvf wec_wef.csv CSV output will be saved to c:\test\wec_wef\wec_wef.csv Maps loaded: 423 Processing d:\test\Archive-ForwardedEvents-2024-03-19-18-36-47-754.evtx... Really appreciate your wizardry in providing this tool to the community! Dave Crawford |
You have done the community a huge service... This is a great utility.
I have, however, found what may be an interesting edge case. In rolling out a Windows Event Collection/Forwarding (WEC/WEF) infrastructure, I attempted to use your utility to dump the contents of an exemplar forwarded events log. Logging was set to archive and roll the ForwardedEvents log. The file size was manipulated so that I could produce a reasonably sized archive file and eliminate the possibility of me corrupting the event log file. The attached file was created and rolled by the system as part of normal log processing.
I run the following:
PS C:\bin\EvtxExplorer> ./evtxecmd.exe -f e:\workspace\Archive-ForwardedEvents-test.evtx --csv e:\workspace --debug
Version is: EvtxECmd version 0.5.2.0
I am getting the following error:
Record error at offset 0x1200, record #: 127638931 error: Specified argument was out of the range of valid values.
Parameter name: Value Type NullType is not handled! Handle it!
Record error at offset 0x2CE0, record #: 127638932 error: Index was out of range. Must be non-negative and less than the size of the collection.
I have attached the file in question.
Archive-ForwardedEvents-test.zip
Thanks!
Dave Crawford
D.S. Crawford
Information Security Office
California State University, Sacramento
6000 J Street, Sacramento CA 95819
Phone: (916) 278-1998
[email protected]
The text was updated successfully, but these errors were encountered: