countercept / chainsaw

Rapidly Search and Hunt through Windows Event Logs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Use separate-json-attributes

forensicmatt opened this issue · comments

Curious why not use separate-json-attributes for the EvtxParserSettings?

The issue with not using this settings is that it causes inconsistent json attribute naming standard:
image

When ever a XML element as an attribute, the JSON field will split into a #text and #attributes. This causes issues on many fronts. Using separate-json-attributes setting for the parser will normalize the fields and an XML element's value will always be the field name and any element attributes will be placed under <ELEMENT_NAME>_attributes. This prevents inconsistent field names in JSON serializations.

Some other references:

If you are open to this I can create a PR

Hi @forensicmatt

Thanks for raising this issue. I have created PR #54 which should implement what you're discussing here. Do you want to take a look and make sure I've implemented it as you were thinking?

I'll merge into master once it's been reviewed.

Looks good. Now you wont have to guess when its going to be Attribute or Attribute.#text

ezoic increase your site revenue