Omer BenAmram

Hi @forensicmatt - I hope we could get to it in the following week or so. Just to see that it doesn't regress anything. Appreciate that you've added tests :)

Hi, thanks for letting me know. This is because `EventData` Data nodes usually either contain a `Name` key, or appear by their own. For some reason when the event was...

The event log viewer simply goes and prints everything that is `Data` to the log output. So having ``` A String ``` and ``` A String ``` Looks the same...

It would look like this: ``` { "Event": { "#attributes": { "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" }, "EventData": { "Data": { "#text": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:[email protected]\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière :...

I would probably use `jq` for this. https://stackoverflow.com/questions/49632521/how-to-add-a-field-to-a-json-object-with-the-jq-command. It can also handle streams if that's an issue https://stackoverflow.com/questions/62825963/improving-performance-when-using-jq-to-process-large-files.

Hi @williballenthin, thanks for your work on this, it looks really cool 😄 It sounds reasonable to extend `read_open_start_element` - if we can pass it a flag from the parser...

I agree that adding a lot of if-else branches can get cumbersome, but I think if it's just this small bit of behavior we could probably let it slide. In...

@yampelo let me know if you need a hand with this :)

@yampelo The nice thing is that my package already produces valid JSON in rust, so most of the code that is currently here https://github.com/yampelo/beagle/blob/master/beagle/datasources/win_evtx.py#L78 will go away (replaced with `json.loads`)....

It's technically possible using seek as you've mentioned. It's not implemented however by `evtx_dump`.