Cannot search a directory EVTX files stored on deduplicated volume #26
Comments
|
-d expects a directory evtxecmd.exe -d d:\path you should not be using -d with a single file. thats what -f is for you do not have to do anything extra with reparse points. thats not the issue. if you do not want to deal with typos, use kape to automate! there is no way for me to warn about that except to possibly look for any extra/unexpected ones (i dont know how easy this would be) and then report it. this works fine for me:
what version are you using, and show me your exact command line and any output. --debug may be helpful switch too |
|
i can only assume that D:\path is NOT an reparse point. if it IS, do not do it that way =) there are reasons for that under the hood. again, you can automate collection AND processing with KAPE. would be a one liner: .\kape.exe --tsource c --target eventlogs --tdest C:\Temp\tout --tflush --mdest C:\Temp\mout --module evtxecmd you will end up with csv file to load into TLE under c:\temp\mout |
|
Thanks for the reply. I probably should be using KAPE to archive the logs in the first place, but I created this process before KAPE existed and I've only just discovered KAPE. Running 0.6.0.0 on a deduplicated drive: Author: Eric Zimmerman ([email protected]) Command line: -d D:\LogArchive\2020-01\Logs --debug Loading maps from 'C:\Temp\Maps' Clearing map collection since no output specified Processed 0 files in 0.9570 seconds Running on the same files but non-deduplicated: Author: Eric Zimmerman ([email protected]) Command line: -d c:\temp\logs --debug Loading maps from 'C:\Temp\Maps' Clearing map collection since no output specified Processing 'c:\temp\logs\Archive-Security-2020-01-01-04-14-51-849.evtx'... Deduplication definitely does use reparse points. What goes wrong if reparse points are enabled? |
|
show me what is in the D:\LogArchive\2020-01\Logs directory how does c:\temp\logs differ from D:\LogArchive\2020-01\Logs? if one works, so should the other, unless D:\LogArchive\2020-01\Logs is a reparse. did you make it a reparse point? |
I have a bunch of event logs (a couple of terabytes uncompressed) to search through for a specific event. Event logs deduplicate pretty well, so I've stored them on a Server 2019 machine with Windows deduplication turned on for one drive. (Deduplication reduces 1 TB logs down to ~150 GB, which is nice.)
When I run evtxecmd -d D:\path it exits with no results. If I run evtxecmd -f d:\path\file.evtx, it successfully parses the file, so it's something with giving it a directory rather than a file.
In Program.cs, if I remove DirectoryEnumerationOptions.SkipReparsePoints from dirEnumOptions (line 606) it succeeds. IIRC deduplication uses reparse points, so this makes sense. Is there a specific reason to exclude reparse points?
Unrelated, but you may want to output an error/warning if any unexpected options are provided on the command line. Otherwise, typos can drive you nuts.
Thanks!
The text was updated successfully, but these errors were encountered: