bill-long / eventlogexpert Goto Github PK

User should be able to filter for providers, ids, text in descriptions, etc, just like other event viewer tools.

User should be able to enter text or an ID and Find Next.

Please add functionality to easily assign colors to specific IDs/Levels/Source or Machine names

We have to create our own scrollbar since we're micromanaging the view for performance.

Can we group providers using the publisher of the DLL and use this to expose the providers to the user so they can select the ones they want at ingestion time? Let's look into this.

This bug was introduced by the previous commit.

It turns out NeDB will not work for our use case due to this: louischatriot/nedb#479

We want to allow multiple processes to access the database at the same time, since a user could have multiple event logs open at the same time in different windows, and in Electron each window is process. We could push all the data through the main process and use RPC calls, but this is not recommended.

At this point, a better option is probably to just use IndexedDB, which is built in to the browser. That will work fine as long as we set makeSingleInstance as described here: electron/electron#10792

Looks like all event IDs for Netlogon events in a System log are not loading text - so far I've seen 5783, 5816, 5719, 5823, 5817 loading with text "The description for this event could not be found. The following information was included with the event" - this source is Windows 2012 R2 Standard

Right now we have to manually build and copy the DLL to the right place, which is super annoying.

Frequently attempt to debug server issues by opening both App and System event logs and reviewing time and events side-by-side. Please enable the app for multi-launch.

When attempting to collect the providers from a remote machine instead of doing localhost, we fail to export all the providers correctly. Need to be able to export from a single machine vs installing the tool on each machine that we are wanting providers from.

When you save an event log, you can opt to include all the description info. We need to make sure we support opening these types of files.

When loading the events, I am able to choose a time zone, and the events are displayed for that selected time zone in the event grid. When an event is selected and the details are displayed in the bottom pane, the time is converted back to local machine time. Also, when I click the Copy or Copy with XML buttons, the plain text time is in local time.

Launching the tool without double-clicking an EVTX will sometimes fail like this:

The problem is that on line 72 of eventlogexpert.windowmanager.ts, this.openWindows[0] is null. Maybe a timing issue? At the very least, this needs a null check.

When we import a lot of provider data at once, the database call returns before the data is actually stored. For example, when the promise returns and we say "Done!", if you close that window and then go look, you'll find that not all the data is actually there. Task Manager shows continued high CPU and disk activity for seconds to minutes afterwards.

We should not report it's done until it's actually done. @dpaulson45 had the idea of querying for the final thing we added until we see it, and then reporting done. Need to test that approach.

Ingest window is only working at dev time.

For logs like the ResponderResult log from Exchange, there is no event description. All the data is only visible in the raw event data. We need to show this stuff somewhere on the event detail pane.

Need to be able to sort by clicking table headers.

When the user changes tag priority, it should be saved and used as default next time.

It turns out the reader delegate we get from our EventReader class cannot return the total number of events in the log, so we have no way to report progress. Instead, we should report the number of events loaded so far.