diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 4b6bbb649..01a63380e 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -21,6 +21,7 @@ - `hayabusa-evtx`クレートをバージョン`0.8.12`に更新した。(@yamatosecurity) - JSONフィールドの出力順序が元のXMLに従って保持されるようになった。(omerbenamram/evtx #241) - 属性と同じ名前を持つ複数のサブノードは上書きされ、最後の1つだけが出力されていた。(omerbenamram/evtx #245) +- `logon-summary`と`eid-metrics`が複数のプログレスバーを出力することがあった。 #1479 (@fukusuket) ## 2.18.0 [2024/10/23] - SecTor Release diff --git a/CHANGELOG.md b/CHANGELOG.md index 558292316..165668c3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ - Updated `hayabusa-evtx` crate to `0.8.12`. (@yamatosecurity) - JSON field output order is now preserved according to the original XML. (omerbenamram/evtx #241) - Multiple sub-nodes with attributes and the same name would be overwritten and only the last one kept. (omerbenamram/evtx #245) +- `logon-summary` and `eid-metrics` would sometimes output multiple progress bars. #1479 (@fukusuket) ## 2.18.0 [2024/10/23] - SecTor Release diff --git a/src/main.rs b/src/main.rs index 00c0e9bf0..997c08882 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1936,7 +1936,7 @@ impl App { )), Err(e) => { AlertMessage::alert(&format!( - "timestamp parse error. filepath:{},{} {}", + "Timestamp parse error. Filepath: {},{} {}", path, &target_timestamp .to_string() @@ -2052,7 +2052,7 @@ impl App { } Err(e) => { AlertMessage::warn(&format!( - "timestamp parse error. filepath:{},{} {}", + "Timestamp parse error. Filepath: {},{} {}", path, &splunk_api_record["Event"]["System"]["SystemTime"] .to_string() diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs index 109a79da6..cccd8b0e3 100644 --- a/src/timeline/metrics.rs +++ b/src/timeline/metrics.rs @@ -62,7 +62,7 @@ impl EventMetrics { (include_computer, exclude_computer): (&HashSet, &HashSet), ) { // recordsから、 最初のレコードの時刻と最後のレコードの時刻、レコードの総数を取得する - self.stats_time_cnt(records, &stored_static.eventkey_alias); + self.stats_time_cnt(records, stored_static); // 引数でmetricsオプションが指定されている時だけ、統計情報を出力する。 if !stored_static.metrics_flag { @@ -79,12 +79,12 @@ impl EventMetrics { return; } - self.stats_time_cnt(records, &stored_static.eventkey_alias); + self.stats_time_cnt(records, stored_static); self.stats_login_eventid(records, stored_static); } - fn stats_time_cnt(&mut self, records: &[EvtxRecordInfo], eventkey_alias: &EventKeyAliasConfig) { + fn stats_time_cnt(&mut self, records: &[EvtxRecordInfo], stored_static: &StoredStatic) { if records.is_empty() { return; } @@ -106,10 +106,17 @@ impl EventMetrics { DateTime::::from_naive_utc_and_offset(splunk_json_datetime, Utc), ), Err(e) => { - AlertMessage::alert(&format!( - "timestamp parse error. input: {evttime} {e}" - )) - .ok(); + let errmsg = + format!("Timestamp parse error.\nInput: {evttime}\nError: {e}\n"); + if stored_static.verbose_flag { + AlertMessage::alert(&errmsg).ok(); + } + if !stored_static.quiet_errors_flag { + ERROR_LOG_STACK + .lock() + .unwrap() + .push(format!("[ERROR] {errmsg}")); + } None } } @@ -124,7 +131,7 @@ impl EventMetrics { } else { // evtxがリリースされた2007/1/30以前の日付データは不正な形式データ扱いとする ERROR_LOG_STACK.lock().unwrap().push(format!( - "[ERROR] Invalid record found. EventFile:{} Timestamp:{}", + "[ERROR] Invalid record found.\nEventFile:{}\nTimestamp:{}\n", self.filepath, timestamp.unwrap() )); @@ -140,14 +147,17 @@ impl EventMetrics { if let Some(evttime) = utils::get_event_value( "Event.System.TimeCreated_attributes.SystemTime", &record.record, - eventkey_alias, + &stored_static.eventkey_alias, ) .map(|evt_value| evt_value.to_string().replace("\\\"", "").replace('"', "")) { check_start_end_time(&evttime); - } else if let Some(evttime) = - utils::get_event_value("Event.System.@timestamp", &record.record, eventkey_alias) - .map(|evt_value| evt_value.to_string().replace("\\\"", "").replace('"', "")) + } else if let Some(evttime) = utils::get_event_value( + "Event.System.@timestamp", + &record.record, + &stored_static.eventkey_alias, + ) + .map(|evt_value| evt_value.to_string().replace("\\\"", "").replace('"', "")) { check_start_end_time(&evttime); }; @@ -223,7 +233,7 @@ impl EventMetrics { ) .unwrap_or("n/a".into()); let errmsg = format!( - "Failed to parse EventID from EventFile: {}, EventRecordID: {}", + "Failed to parse event ID from event file: {}\nEvent record ID: {}\n", &record.evtx_filepath, rec_id ); if stored_static.verbose_flag {