Feature: Run under linux (wine)
vdun opened this issue · 1 comments
vdun commented
Under wine it partially work. It can read the evtx file and parse it.
Loading the map file fails.
# wine /tmp/ericzimmerman/EvtxExplorer/EvtxECmd.exe -f Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx -csvf test.csv
EvtxECmd version 0.5.2.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/evtx
Command line: -f Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx -debug -csvf a.csv
Error loading map file 'Z:\tmp\ericzimmerman\EvtxExplorer\Maps\Microsoft-Windows-Application-Experience_Program-Telemetry_500.map': Type Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid which is passed to unmanaged code must have a StructLayout attribute.
Error loading map file 'Z:\tmp\ericzimmerman\EvtxExplorer\Maps\Microsoft-Windows-Application-Experience_Program-Telemetry_505.map': Type Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid which is passed to unmanaged code must have a StructLayout attribute.
Error loading map file 'Z:\tmp\ericzimmerman\EvtxExplorer\Maps\Microsoft-Windows-Bits-Client_Operational_59.map': Type Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid which is passed to unmanaged code must have a StructLayout attribute.
...
Maps loaded: 0
Processing 'Z:\tmp\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'...
Chunk count: 1, Iterating records...
Event log details
Flags: None
Chunk count: 1
Stored/Calculated CRC: EE8D56C7/EE8D56C7
Earliest timestamp: 2015-09-09 19:25:14.6092179
Latest timestamp: 2015-09-10 05:30:53.8815253
Total event log records found: 34
Records included: 34 Errors: 0 Events dropped: 0
Metrics (including dropped events)
Event Id Count
21 1
22 1
23 1
32 2
34 25
41 1
42 1
54 2
Processed 1 file in 0.4607 seconds
EricZimmerman commented
Linux is not supported at this time