Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create table #59

Closed
giacomoconti1978 opened this issue May 9, 2023 · 3 comments
Closed

Unable to create table #59

giacomoconti1978 opened this issue May 9, 2023 · 3 comments

Comments

@giacomoconti1978
Copy link

I'm new of Zircolite, but when I tty to use it, have this issues:

███████╗██╗██████╗  ██████╗ ██████╗ ██╗     ██╗████████╗███████╗
╚══███╔╝██║██╔══██╗██╔════╝██╔═══██╗██║     ██║╚══██╔══╝██╔════╝
  ███╔╝ ██║██████╔╝██║     ██║   ██║██║     ██║   ██║   █████╗
 ███╔╝  ██║██╔══██╗██║     ██║   ██║██║     ██║   ██║   ██╔══╝
███████╗██║██║  ██║╚██████╗╚██████╔╝███████╗██║   ██║   ███████╗
╚══════╝╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝   ╚═╝   ╚══════╝

-= Standalone SIGMA Detection tool for EVTX/Auditd/Sysmon Linux =-

[+] Checking prerequisites
[+] Extracting events Using 'tmp-YIWJDQ4F' directory
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 161/161 [00:05<00:00, 28.50it/s]
[+] Processing events
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 161/161 [00:14<00:00, 11.20it/s]
[+] Creating model
[-] Unable to create table

Why?
@wagga40
Copy link
Owner

wagga40 commented May 9, 2023

Hi, could you provide me :

  • the command line you typed
  • the version you used (python or packaged release, windows or linux, if linux musl or libc)
  • any environmental details that could help me understand your problem

Did you try with the option « —debug » and checked Zircolite.log ?

@wagga40 wagga40 closed this as completed May 26, 2023
@clausing
Copy link

clausing commented Mar 26, 2024
edited
Loading

I know this was closed, but I ran into this today and not sure what to do with [-] too many columns on logs
This was working on Windows EVTX logs

2024-03-26 15_23_56-sift-azure - SecureCRT

@wagga40
Copy link
Owner

wagga40 commented Mar 27, 2024
edited
Loading

Hello, this typically indicates that your logs have too many fields, which turn into columns following the EVTX to SQLite conversion. By default, SQLite, which Zircolite uses as its backend, imposes a strict limit of 2000 columns (see details here). Altering this limit requires recompilation, a step not easily feasible as SQLite is accessed via the Python library in this context.

To avoid this you could :

  • if you give a lot of EVTX files to Zircolite, reduce the number of files
  • If you're working with a single, large EVTX file, consider splitting it. One method involves converting the EVTX file to JSONL using evtx_dump (found in Zircolite's bin directory), then dividing the JSONL file using any text file splitting tool, and finally using Zircolite's option to process JSON files

Please give me feedback if it works for you.

@wagga40 wagga40 mentioned this issue Jul 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clausing @wagga40 @giacomoconti1978