diff --git a/CHANGELOG.md b/CHANGELOG.md index 78eaede..bdd76a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## [0.8.12 - 2024-11-04] + +- JSON output order is now preserved. (omerbenamram/evtx#242) +- JSON now outputs fields that have the same name multiple times. Before, only the last one was outputted. (omerbenamram/evtx#245) + ## [0.8.11 - 2024-10-30] Fixed a compiler bug with `quick-xml` 0.37.0. Updated crates. (#67) (@fukusuket) diff --git a/Cargo.lock b/Cargo.lock index a5d4129..b75e0a7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -55,9 +55,9 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.9" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8365de52b16c035ff4fcafe0092ba9390540e3e352870ac09933bebcaa2c8c56" +checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" [[package]] name = "anstyle-parse" @@ -89,9 +89,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.91" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c042108f3ed77fd83760a5fd79b53be043192bb3b9dba91d8c574c0ada7850c8" +checksum = "74f37166d7d48a0284b99dd824694c26119c700b53bf0d1540cdb147dbdaaf13" [[package]] name = "assert_cmd" @@ -195,9 +195,9 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5" [[package]] name = "cc" -version = "1.1.31" +version = "1.1.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" +checksum = "67b9470d453346108f93a59222a9a1a5724db32d0a4727b7ab7ace4b4d822dc9" dependencies = [ "shlex", ] @@ -541,7 +541,7 @@ dependencies = [ [[package]] name = "evtx" -version = "0.8.11" +version = "0.8.12" dependencies = [ "anyhow", "assert_cmd", @@ -656,6 +656,16 @@ dependencies = [ "cc", ] +[[package]] +name = "indexmap" +version = "2.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" +dependencies = [ + "equivalent", + "hashbrown", +] + [[package]] name = "indoc" version = "2.0.5" @@ -664,9 +674,9 @@ checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" [[package]] name = "insta" -version = "1.41.0" +version = "1.41.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1f72d3e19488cf7d8ea52d2fc0f8754fc933398b337cd3cbdb28aaeb35159ef" +checksum = "7e9ffc4d4892617c50a928c52b2961cb5174b6fc6ebf252b2fac9d21955c48b8" dependencies = [ "console", "lazy_static", @@ -1087,7 +1097,7 @@ checksum = "de523f781f095e28fa605cdce0f8307e451cc0fd14e2eb4cd2e98a355b147766" dependencies = [ "proc-macro2", "quote", - "syn 2.0.85", + "syn 2.0.87", ] [[package]] @@ -1096,6 +1106,7 @@ version = "1.0.132" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" dependencies = [ + "indexmap", "itoa", "memchr", "ryu", @@ -1154,9 +1165,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.85" +version = "2.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5023162dfcd14ef8f32034d8bcd4cc5ddc61ef7a247c024a33e24e1f24d21b56" +checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" dependencies = [ "proc-macro2", "quote", @@ -1184,22 +1195,22 @@ checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76" [[package]] name = "thiserror" -version = "1.0.65" +version = "1.0.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5" +checksum = "3b3c6efbfc763e64eb85c11c25320f0737cb7364c4b6336db90aa9ebe27a0bbd" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.65" +version = "1.0.67" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602" +checksum = "b607164372e89797d78b8e23a6d67d5d1038c1c65efd52e1389ef8b77caba2a6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.85", + "syn 2.0.87", ] [[package]] @@ -1283,7 +1294,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.85", + "syn 2.0.87", "wasm-bindgen-shared", ] @@ -1305,7 +1316,7 @@ checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" dependencies = [ "proc-macro2", "quote", - "syn 2.0.85", + "syn 2.0.87", "wasm-bindgen-backend", "wasm-bindgen-shared", ] diff --git a/Cargo.toml b/Cargo.toml index a5ce599..4d98d5b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -6,7 +6,7 @@ repository = "https://github.com/Yamato-Security/hayabusa-evtx" license = "MIT" readme = "README.md" -version = "0.8.11" +version = "0.8.12" authors = ["Omer Ben-Amram , Yamato Security"] edition = "2021" @@ -34,7 +34,7 @@ clap = { version = "4", optional = true } dialoguer = { version = "*", optional = true } indoc = { version = "*", optional = true } -serde_json = "1" +serde_json = { version = "1", features = ["preserve_order"]} [target.'cfg(not(windows))'.dependencies] # jemalloc is significantly more peformant than the system allocator. diff --git a/src/json_output.rs b/src/json_output.rs index ad1d1b9..3749bc0 100644 --- a/src/json_output.rs +++ b/src/json_output.rs @@ -214,28 +214,71 @@ impl JsonOutput { .to_string(), } })?; + // We do a linear probe in case XML contains duplicate keys + if let Some(old_attribute) = + value.insert(format!("{}_attributes", name), Value::Null) + { + if let Some(old_value) = value.insert(name.to_string(), Value::Null) { + let mut free_slot = 1; + // If it is a concrete value, we look for another slot. + while value.get(&format!("{}_{}", name, free_slot)).is_some() + || value + .get(&format!("{}_{}_attributes", name, free_slot)) + .is_some() + { + // Value is an empty object - we can override it's value. + free_slot += 1 + } + if let Some(old_value_object) = old_value.as_object() { + if !old_value_object.is_empty() { + value.insert(format!("{}_{}", name, free_slot), old_value); + } + }; + if let Some(old_attribute_object) = old_attribute.as_object() { + if !old_attribute_object.is_empty() { + value.insert( + format!("{}_{}_attributes", name, free_slot), + old_attribute, + ); + }; + }; + }; + }; value.insert(format!("{name}_attributes"), Value::Object(attributes)); // If the element's main value is empty, we want to remove it because we // do not want the value to represent an empty object. - if value[name] == Value::Object(Map::new()) { + if value[name].is_null() || value[name] == Value::Object(Map::new()) { value.remove(name); } } else { - let value = self - .get_or_create_current_path() - .as_object_mut() - .ok_or_else(|| { - SerializationError::JsonStructureError { - message: - "This is a bug - expected current value to exist, and to be an object type. - Check that the value is not `Value::null`" - .to_string(), - } - })?; + let container = self.get_current_parent().as_object_mut().ok_or_else(|| { + SerializationError::JsonStructureError { + message: + "This is a bug - expected parent container to exist, and to be an object type.\ + Check that the referencing parent is not `Value::null`" + .to_string(), + } + })?; + // We do a linear probe in case XML contains duplicate keys + if let Some(old_value) = container.insert(name.to_string(), Value::Null) { + if let Some(map) = old_value.as_object() { + if !map.is_empty() { + let mut free_slot = 1; + // If it is a concrete value, we look for another slot. + while container.get(&format!("{}_{}", name, free_slot)).is_some() { + // Value is an empty object - we can override it's value. + free_slot += 1 + } + container.insert(format!("{}_{}", name, free_slot), old_value); + } + } + }; + let mut value = Map::new(); value.insert("#attributes".to_owned(), Value::Object(attributes)); + container.insert(name.to_string(), Value::Object(value)); } } else { // If the object does not have attributes, replace it with a null placeholder, @@ -534,10 +577,10 @@ mod tests { let s2 = r#" { "HTTPResponseHeadersInfo": { - "Header": "HTTP/1.1 200 OK", "Header_attributes": { "attribute1": "NoProxy" - } + }, + "Header": "HTTP/1.1 200 OK" } } "# diff --git a/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap b/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap index 47c7194..f021e4c 100644 --- a/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap +++ b/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap @@ -3,34 +3,34 @@ source: tests/test_record_samples.rs expression: "&value" --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { - "EventData": null, "System": { - "Channel": "Security", - "Computer": "37L4247F27-25", - "Correlation": null, - "EventID": 4608, - "EventRecordID": 1, - "Execution_attributes": { - "ProcessID": 456, - "ThreadID": 460 - }, - "Keywords": "0x8020000000000000", - "Level": 0, - "Opcode": 0, "Provider_attributes": { - "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "Name": "Microsoft-Windows-Security-Auditing" + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D" }, - "Security": null, + "EventID": 4608, + "Version": 0, + "Level": 0, "Task": 12288, + "Opcode": 0, + "Keywords": "0x8020000000000000", "TimeCreated_attributes": { "SystemTime": "2016-07-08T18:12:51.681640Z" }, - "Version": 0 - } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + "EventRecordID": 1, + "Correlation": null, + "Execution_attributes": { + "ProcessID": 456, + "ThreadID": 460 + }, + "Channel": "Security", + "Computer": "37L4247F27-25", + "Security": null + }, + "EventData": null } } \ No newline at end of file diff --git a/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap b/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap index a1620ee..979ed94 100644 --- a/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap +++ b/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap @@ -1,34 +1,33 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { - "EventData": { - "Data": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:test2@example.com\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »False0 objects execution has been proxied to remote server.0ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1ServicePlan:;IsAdmin:True;fr-FR" - }, "System": { - "Channel": "MSExchange Management", - "Computer": "WEC.ave.local", - "EventID": "1", + "Provider_attributes": { + "Name": "MSExchange CmdletLogs" + }, "EventID_attributes": { "Qualifiers": "16384" }, - "EventRecordID": "3229", - "Keywords": "0x80000000000000", + "EventID": "1", "Level": "4", - "Provider_attributes": { - "Name": "MSExchange CmdletLogs" - }, - "Security": null, "Task": "1", + "Keywords": "0x80000000000000", "TimeCreated_attributes": { "SystemTime": "2021-11-19T16:52:33.833733500Z" - } + }, + "EventRecordID": "3229", + "Channel": "MSExchange Management", + "Computer": "WEC.ave.local", + "Security": null + }, + "EventData": { + "Data": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:test2@example.com\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »False0 objects execution has been proxied to remote server.0ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1ServicePlan:;IsAdmin:True;fr-FR" } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" } } diff --git a/tests/snapshots/test_record_samples__event_json_sample.snap b/tests/snapshots/test_record_samples__event_json_sample.snap index 958aeb6..c83159d 100644 --- a/tests/snapshots/test_record_samples__event_json_sample.snap +++ b/tests/snapshots/test_record_samples__event_json_sample.snap @@ -1,43 +1,42 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { "Event": { "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": null, "System": { - "Channel": "Security", - "Computer": "37L4247F27-25", - "Correlation": null, - "EventID": 4608, - "EventRecordID": 1, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 456, - "ThreadID": 460 + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D" } }, - "Keywords": "0x8020000000000000", + "EventID": 4608, + "Version": 0, "Level": 0, + "Task": 12288, "Opcode": 0, - "Provider": { + "Keywords": "0x8020000000000000", + "TimeCreated": { "#attributes": { - "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "Name": "Microsoft-Windows-Security-Auditing" + "SystemTime": "2016-07-08T18:12:51.681640Z" } }, - "Security": null, - "Task": 12288, - "TimeCreated": { + "EventRecordID": 1, + "Correlation": null, + "Execution": { "#attributes": { - "SystemTime": "2016-07-08T18:12:51.681640Z" + "ProcessID": 456, + "ThreadID": 460 } }, - "Version": 0 - } + "Channel": "Security", + "Computer": "37L4247F27-25", + "Security": null + }, + "EventData": null } } diff --git a/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap b/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap index 66ebdb9..0cc4a9c 100644 --- a/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap +++ b/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap @@ -1,59 +1,58 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { "Event": { "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": { - "CommandLine": "", - "MandatoryLabel": "S-1-16-16384", - "NewProcessId": "0x58", - "NewProcessName": "Registry", - "ParentProcessName": "", - "ProcessId": "0x4", - "SubjectDomainName": "-", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "-", - "SubjectUserSid": "S-1-5-18", - "TargetDomainName": "-", - "TargetLogonId": "0x0", - "TargetUserName": "-", - "TargetUserSid": "S-1-0-0", - "TokenElevationType": "%%1936" - }, "System": { - "Channel": "Security", - "Computer": "WIN-LL0C19JS506", - "Correlation": null, - "EventID": 4688, - "EventRecordID": 1, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 4, - "ThreadID": 32 + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D" } }, - "Keywords": "0x8020000000000000", + "EventID": 4688, + "Version": 2, "Level": 0, + "Task": 13312, "Opcode": 0, - "Provider": { + "Keywords": "0x8020000000000000", + "TimeCreated": { "#attributes": { - "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D", - "Name": "Microsoft-Windows-Security-Auditing" + "SystemTime": "2018-07-28T07:24:45.754787Z" } }, - "Security": null, - "Task": 13312, - "TimeCreated": { + "EventRecordID": 1, + "Correlation": null, + "Execution": { "#attributes": { - "SystemTime": "2018-07-28T07:24:45.754787Z" + "ProcessID": 4, + "ThreadID": 32 } }, - "Version": 2 + "Channel": "Security", + "Computer": "WIN-LL0C19JS506", + "Security": null + }, + "EventData": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x3e7", + "NewProcessId": "0x58", + "NewProcessName": "Registry", + "TokenElevationType": "%%1936", + "ProcessId": "0x4", + "CommandLine": "", + "TargetUserSid": "S-1-0-0", + "TargetUserName": "-", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "ParentProcessName": "", + "MandatoryLabel": "S-1-16-16384" } } } diff --git a/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap b/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap index b818dca..db6af3f 100644 --- a/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap +++ b/tests/snapshots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap @@ -1,6 +1,5 @@ --- source: tests/test_record_samples.rs -assertion_line: 92 expression: "&value" --- { @@ -8,42 +7,42 @@ expression: "&value" "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": { - "Binary": null, - "Data": { - "#text": [ - "10.00.", - "15063", - "", - "Multiprocessor Free", - "0" - ] - } - }, "System": { - "Channel": "System", - "Computer": "WIN-P4SIAA0SQCO", + "Provider": { + "#attributes": { + "Name": "EventLog" + } + }, "EventID": { "#attributes": { "Qualifiers": 32768 }, "#text": 6009 }, - "EventRecordID": 1, - "Keywords": "0x80000000000000", "Level": 4, - "Provider": { - "#attributes": { - "Name": "EventLog" - } - }, - "Security": null, "Task": 0, + "Keywords": "0x80000000000000", "TimeCreated": { "#attributes": { "SystemTime": "2017-07-12T17:16:28.214161Z" } - } + }, + "EventRecordID": 1, + "Channel": "System", + "Computer": "WIN-P4SIAA0SQCO", + "Security": null + }, + "EventData": { + "Data": { + "#text": [ + "10.00.", + "15063", + "", + "Multiprocessor Free", + "0" + ] + }, + "Binary": null } } } diff --git a/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap b/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap index 3829ceb..e48c401 100644 --- a/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap +++ b/tests/snapshots/test_record_samples__event_json_sample_with_separate_json_attributes.snap @@ -1,45 +1,44 @@ --- source: tests/test_record_samples.rs -assertion_line: 208 expression: "&value" --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { - "EventData": { - "param1": "86400", - "param2": "SuppressDuplicateDuration", - "param3": "Software\\Microsoft\\EventSystem\\EventLog" - }, "System": { - "Channel": "Application", - "Computer": "37L4247D28-05", - "Correlation": null, - "EventID": 4625, + "Provider_attributes": { + "Name": "Microsoft-Windows-EventSystem", + "Guid": "{899daace-4868-4295-afcd-9eb8fb497561}", + "EventSourceName": "EventSystem" + }, "EventID_attributes": { "Qualifiers": 16384 }, - "EventRecordID": 1, - "Execution_attributes": { - "ProcessID": 0, - "ThreadID": 0 - }, - "Keywords": "0x80000000000000", + "EventID": 4625, + "Version": 0, "Level": 4, - "Opcode": 0, - "Provider_attributes": { - "EventSourceName": "EventSystem", - "Guid": "{899daace-4868-4295-afcd-9eb8fb497561}", - "Name": "Microsoft-Windows-EventSystem" - }, - "Security": null, "Task": 0, + "Opcode": 0, + "Keywords": "0x80000000000000", "TimeCreated_attributes": { "SystemTime": "2010-11-10T18:18:51.000000Z" }, - "Version": 0 + "EventRecordID": 1, + "Correlation": null, + "Execution_attributes": { + "ProcessID": 0, + "ThreadID": 0 + }, + "Channel": "Application", + "Computer": "37L4247D28-05", + "Security": null + }, + "EventData": { + "param1": "86400", + "param2": "SuppressDuplicateDuration", + "param3": "Software\\Microsoft\\EventSystem\\EventLog" } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" } } diff --git a/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap b/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap index 9504d74..64aee61 100644 --- a/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap +++ b/tests/snapshots/test_record_samples__event_json_with_multiple_data_elements-2.snap @@ -1,6 +1,5 @@ --- source: tests/test_record_samples.rs -assertion_line: 238 expression: "&value" --- { @@ -8,6 +7,31 @@ expression: "&value" "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, + "System": { + "Provider": { + "#attributes": { + "Name": "MSExchange CmdletLogs" + } + }, + "EventID": { + "#attributes": { + "Qualifiers": "16384" + }, + "#text": "1" + }, + "Level": "4", + "Task": "1", + "Keywords": "0x80000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2021-11-19T16:52:33.833733500Z" + } + }, + "EventRecordID": "3229", + "Channel": "MSExchange Management", + "Computer": "WEC.ave.local", + "Security": null + }, "EventData": { "Data": { "#text": [ @@ -29,31 +53,6 @@ expression: "&value" "fr-FR" ] } - }, - "System": { - "Channel": "MSExchange Management", - "Computer": "WEC.ave.local", - "EventID": { - "#attributes": { - "Qualifiers": "16384" - }, - "#text": "1" - }, - "EventRecordID": "3229", - "Keywords": "0x80000000000000", - "Level": "4", - "Provider": { - "#attributes": { - "Name": "MSExchange CmdletLogs" - } - }, - "Security": null, - "Task": "1", - "TimeCreated": { - "#attributes": { - "SystemTime": "2021-11-19T16:52:33.833733500Z" - } - } } } } diff --git a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap index f466abd..42230f8 100644 --- a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap +++ b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name.snap @@ -1,7 +1,6 @@ --- source: tests/test_record_samples.rs expression: "&value" - --- { "Event": { @@ -9,47 +8,86 @@ expression: "&value" "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, "System": { - "Channel": "Microsoft-Windows-CAPI2/Operational", - "Computer": "WIN-M5327EF98B9", - "Correlation": null, - "EventID": 53, - "EventRecordID": 28, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 1396, - "ThreadID": 2132 + "Name": "Microsoft-Windows-CAPI2", + "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" } }, - "Keywords": "0x4000000000000036", + "EventID": 53, + "Version": 0, "Level": 4, + "Task": 53, "Opcode": 2, - "Provider": { + "Keywords": "0x4000000000000036", + "TimeCreated": { "#attributes": { - "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}", - "Name": "Microsoft-Windows-CAPI2" + "SystemTime": "2017-05-19T02:02:36.203125Z" } }, - "Security": { + "EventRecordID": 28, + "Correlation": null, + "Execution": { "#attributes": { - "UserID": "S-1-5-21-1223297778-3299746493-1462173606-500" + "ProcessID": 1396, + "ThreadID": 2132 } }, - "Task": 53, - "TimeCreated": { + "Channel": "Microsoft-Windows-CAPI2/Operational", + "Computer": "WIN-M5327EF98B9", + "Security": { "#attributes": { - "SystemTime": "2017-05-19T02:02:36.203125Z" + "UserID": "S-1-5-21-1223297778-3299746493-1462173606-500" } - }, - "Version": 0 + } }, "UserData": { "CryptRetrieveObjectByUrlWire": { + "URL": { + "#attributes": { + "scheme": "http" + }, + "#text": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl" + }, + "Object": { + "#attributes": { + "type": "CONTEXT_OID_CRL", + "constant": "2" + } + }, + "Timeout": "PT9.984S", + "Flags": { + "#attributes": { + "value": "202005", + "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", + "CRYPT_WIRE_ONLY_RETRIEVAL": "true", + "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", + "CRYPT_PROXY_CACHE_RETRIEVAL": "true" + } + }, + "AuxInfo": { + "#attributes": { + "maxUrlRetrievalByteCount": "104857600", + "fProxyCacheRetrieval": "true" + } + }, "AdditionalInfo": { + "NetworkConnectivityStatus": { + "#attributes": { + "value": "1", + "_SENSAPI_NETWORK_ALIVE_LAN": "true" + } + }, "Action": { "#attributes": { "name": "NoProxy" } }, + "Action_1": { + "#attributes": { + "name": "NoProxy" + } + }, "HTTPRequestHeadersInfo": { "Header": "Connection: Keep-Alive", "Header_1": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1", @@ -62,8 +100,6 @@ expression: "&value" "HTTPResponseHeadersInfo": { "Header": "x-ms-blob-type: BlockBlob", "Header_1": "HTTP/1.1 200 OK", - "Header_10": "x-ms-version: 2009-09-19", - "Header_11": "x-ms-lease-status: unlocked", "Header_2": "Connection: keep-alive", "Header_3": "Date: Thu, 18 May 2017 11:37:58 GMT", "Header_4": "Content-Length: 813", @@ -71,19 +107,9 @@ expression: "&value" "Header_6": "Last-Modified: Tue, 02 May 2017 22:24:24 GMT", "Header_7": "ETag: 0x8D491A9FD112A27", "Header_8": "Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", - "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000" - }, - "NetworkConnectivityStatus": { - "#attributes": { - "_SENSAPI_NETWORK_ALIVE_LAN": "true", - "value": "1" - } - } - }, - "AuxInfo": { - "#attributes": { - "fProxyCacheRetrieval": "true", - "maxUrlRetrievalByteCount": "104857600" + "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000", + "Header_10": "x-ms-version: 2009-09-19", + "Header_11": "x-ms-lease-status: unlocked" } }, "CacheInfo": { @@ -92,15 +118,17 @@ expression: "&value" }, "URLCacheResponseInfo": { "#attributes": { - "lastModifiedTime": "2017-05-02T22:24:24Z", - "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP" + "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP", + "lastModifiedTime": "2017-05-02T22:24:24Z" } } }, - "CorrelationAuxInfo": { - "#attributes": { - "SeqNumber": "7", - "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}" + "RetrievedObjects": { + "CertificateRevocationList": { + "#attributes": { + "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", + "issuerName": "Microsoft Root Certificate Authority" + } } }, "EventAuxInfo": { @@ -108,40 +136,16 @@ expression: "&value" "ProcessName": "Setup.exe" } }, - "Flags": { - "#attributes": { - "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", - "CRYPT_PROXY_CACHE_RETRIEVAL": "true", - "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", - "CRYPT_WIRE_ONLY_RETRIEVAL": "true", - "value": "202005" - } - }, - "Object": { + "CorrelationAuxInfo": { "#attributes": { - "constant": "2", - "type": "CONTEXT_OID_CRL" + "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}", + "SeqNumber": "7" } }, "Result": { "#attributes": { "value": "0" } - }, - "RetrievedObjects": { - "CertificateRevocationList": { - "#attributes": { - "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", - "issuerName": "Microsoft Root Certificate Authority" - } - } - }, - "Timeout": "PT9.984S", - "URL": { - "#attributes": { - "scheme": "http" - }, - "#text": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl" } } } diff --git a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap index a059ab4..fd0f374 100644 --- a/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap +++ b/tests/snapshots/test_record_samples__event_json_with_multiple_nodes_same_name_separate.snap @@ -1,42 +1,71 @@ --- source: tests/test_record_samples.rs -assertion_line: 258 expression: "&value" --- { + "Event_attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, "Event": { "System": { - "Channel": "Microsoft-Windows-CAPI2/Operational", - "Computer": "WIN-M5327EF98B9", - "Correlation": null, + "Provider_attributes": { + "Name": "Microsoft-Windows-CAPI2", + "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" + }, "EventID": 53, + "Version": 0, + "Level": 4, + "Task": 53, + "Opcode": 2, + "Keywords": "0x4000000000000036", + "TimeCreated_attributes": { + "SystemTime": "2017-05-19T02:02:36.203125Z" + }, "EventRecordID": 28, + "Correlation": null, "Execution_attributes": { "ProcessID": 1396, "ThreadID": 2132 }, - "Keywords": "0x4000000000000036", - "Level": 4, - "Opcode": 2, - "Provider_attributes": { - "Guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}", - "Name": "Microsoft-Windows-CAPI2" - }, + "Channel": "Microsoft-Windows-CAPI2/Operational", + "Computer": "WIN-M5327EF98B9", "Security_attributes": { "UserID": "S-1-5-21-1223297778-3299746493-1462173606-500" - }, - "Task": 53, - "TimeCreated_attributes": { - "SystemTime": "2017-05-19T02:02:36.203125Z" - }, - "Version": 0 + } }, "UserData": { "CryptRetrieveObjectByUrlWire": { + "URL_attributes": { + "scheme": "http" + }, + "URL": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl", + "Object_attributes": { + "type": "CONTEXT_OID_CRL", + "constant": "2" + }, + "Timeout": "PT9.984S", + "Flags_attributes": { + "value": "202005", + "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", + "CRYPT_WIRE_ONLY_RETRIEVAL": "true", + "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", + "CRYPT_PROXY_CACHE_RETRIEVAL": "true" + }, + "AuxInfo_attributes": { + "maxUrlRetrievalByteCount": "104857600", + "fProxyCacheRetrieval": "true" + }, "AdditionalInfo": { + "NetworkConnectivityStatus_attributes": { + "value": "1", + "_SENSAPI_NETWORK_ALIVE_LAN": "true" + }, "Action_attributes": { "name": "NoProxy" }, + "Action_1_attributes": { + "name": "NoProxy" + }, "HTTPRequestHeadersInfo": { "Header": "Connection: Keep-Alive", "Header_1": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1", @@ -49,8 +78,6 @@ expression: "&value" "HTTPResponseHeadersInfo": { "Header": "x-ms-blob-type: BlockBlob", "Header_1": "HTTP/1.1 200 OK", - "Header_10": "x-ms-version: 2009-09-19", - "Header_11": "x-ms-lease-status: unlocked", "Header_2": "Connection: keep-alive", "Header_3": "Date: Thu, 18 May 2017 11:37:58 GMT", "Header_4": "Content-Length: 813", @@ -58,62 +85,37 @@ expression: "&value" "Header_6": "Last-Modified: Tue, 02 May 2017 22:24:24 GMT", "Header_7": "ETag: 0x8D491A9FD112A27", "Header_8": "Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", - "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000" - }, - "NetworkConnectivityStatus_attributes": { - "_SENSAPI_NETWORK_ALIVE_LAN": "true", - "value": "1" + "Header_9": "x-ms-request-id: 477c132d-0001-0045-443b-c49ae1000000", + "Header_10": "x-ms-version: 2009-09-19", + "Header_11": "x-ms-lease-status: unlocked" } }, - "AuxInfo_attributes": { - "fProxyCacheRetrieval": "true", - "maxUrlRetrievalByteCount": "104857600" + "CacheInfo_attributes": { + "lastSyncTime": "2017-05-19T02:02:36.203Z" }, "CacheInfo": { "URLCacheResponseInfo_attributes": { - "lastModifiedTime": "2017-05-02T22:24:24Z", - "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP" + "responseType": "CRYPTNET_URL_CACHE_RESPONSE_HTTP", + "lastModifiedTime": "2017-05-02T22:24:24Z" } }, - "CacheInfo_attributes": { - "lastSyncTime": "2017-05-19T02:02:36.203Z" - }, - "CorrelationAuxInfo_attributes": { - "SeqNumber": "7", - "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}" + "RetrievedObjects": { + "CertificateRevocationList_attributes": { + "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", + "issuerName": "Microsoft Root Certificate Authority" + } }, "EventAuxInfo_attributes": { "ProcessName": "Setup.exe" }, - "Flags_attributes": { - "CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL": "true", - "CRYPT_PROXY_CACHE_RETRIEVAL": "true", - "CRYPT_RETRIEVE_MULTIPLE_OBJECTS": "true", - "CRYPT_WIRE_ONLY_RETRIEVAL": "true", - "value": "202005" - }, - "Object_attributes": { - "constant": "2", - "type": "CONTEXT_OID_CRL" + "CorrelationAuxInfo_attributes": { + "TaskId": "{74E4CD40-C966-49F5-B50A-032DFFEE57CA}", + "SeqNumber": "7" }, "Result_attributes": { "value": "0" - }, - "RetrievedObjects": { - "CertificateRevocationList_attributes": { - "fileRef": "0986764ED95D3C77F3F1AD8340EDD2F36C3BF8E7.crl", - "issuerName": "Microsoft Root Certificate Authority" - } - }, - "Timeout": "PT9.984S", - "URL": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl", - "URL_attributes": { - "scheme": "http" } } } - }, - "Event_attributes": { - "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" } } diff --git a/tests/snapshots/test_record_samples__event_json_with_size_t.snap b/tests/snapshots/test_record_samples__event_json_with_size_t.snap index 1ca545c..2a0116c 100644 --- a/tests/snapshots/test_record_samples__event_json_with_size_t.snap +++ b/tests/snapshots/test_record_samples__event_json_with_size_t.snap @@ -7,49 +7,49 @@ expression: "&value" "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, - "EventData": { - "HandleId": "0x7eec", - "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", - "ObjectName": "C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll", - "ObjectServer": "Security", - "ObjectType": "File", - "OldSd": "", - "ProcessId": "0x858", - "ProcessName": "C:\\Windows\\servicing\\TrustedInstaller.exe", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "WIN-L0ZZQ76PMUF$", - "SubjectUserSid": "S-1-5-18" - }, "System": { - "Channel": "Security", - "Computer": "WIN-L0ZZQ76PMUF", - "Correlation": null, - "EventID": 4907, - "EventRecordID": 196, - "Execution": { + "Provider": { "#attributes": { - "ProcessID": 632, - "ThreadID": 684 + "Name": "Microsoft-Windows-Security-Auditing", + "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}" } }, - "Keywords": "0x8020000000000000", + "EventID": 4907, + "Version": 0, "Level": 0, + "Task": 13568, "Opcode": 0, - "Provider": { + "Keywords": "0x8020000000000000", + "TimeCreated": { "#attributes": { - "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "Name": "Microsoft-Windows-Security-Auditing" + "SystemTime": "2015-08-23T21:25:49.063125Z" } }, - "Security": null, - "Task": 13568, - "TimeCreated": { + "EventRecordID": 196, + "Correlation": null, + "Execution": { "#attributes": { - "SystemTime": "2015-08-23T21:25:49.063125Z" + "ProcessID": 632, + "ThreadID": 684 } }, - "Version": 0 + "Channel": "Security", + "Computer": "WIN-L0ZZQ76PMUF", + "Security": null + }, + "EventData": { + "SubjectUserSid": "S-1-5-18", + "SubjectUserName": "WIN-L0ZZQ76PMUF$", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "ObjectServer": "Security", + "ObjectType": "File", + "ObjectName": "C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll", + "HandleId": "0x7eec", + "OldSd": "", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "ProcessId": "0x858", + "ProcessName": "C:\\Windows\\servicing\\TrustedInstaller.exe" } } } \ No newline at end of file