Fluentd experimental input plugin to do reads of Windows EVTX files.
DO NOT EXPECT THIS TO WORK. This is the outcome of a weekend Hack-a-thon
with the intent of solving this
issue in
the Windows EventLog fluentd plugin. Despite what it says I couldn't get the
workaround to work without flooding my test machine with events from the
Application log so it got me to ponder about what an implementation that only
read evtx files could look like instead of needing to do Win32 API calls.
In its current state, this can do little
more than read an entire evtx file and then emit all the events. I maybe spent
some time thinking about implementing position tracking or doing ranged reads of
the file, but alas I did not have time to get that far.
In this experiment I have leveraged the Rust crate evtx and Helix to construct a compiled extension to avoid having to implement Microsoft's BinXML protocol in pure Ruby. Ruby tends to overallocate memory, and in experiments the crate and Helix glue code can handle loading, parsing, and spitting out the default Security log with auditing turned on (i.e. LOTS of events) with minimal allocations on the heap.
Ruby seems to spend most of its allocations creating the strings for all the log events, which in this case was 65,189:
Given the short amount of time I spent on this I'm sure there are some easy optimization wins I did not catch. It is much better than what I started with, which had several hundreds of MB of allocations because I wasn't writing performant Ruby 😆.
A big thanks to the authors of these articles, blogs, and references. They helped me get a grasp on a basic implementation in a short amount of time :smile:.