Benchmark against EricZimmerman/evtx

[59e5aaf4]

Hi,
On shipping .evtx data to some SIEM , the following set of tools exist and allow parsing .evtx ( from windows, in C#, lol ) up to some SIEM, and KAPE, the IR suite has this automated-ish in some "EvtxECmd" configuration settings, allowing .evtx to be converetd to JSON using https://github.com/EricZimmerman/evtx , then just planting them on a VM with logscale for .json ingestion in ELK ( see https://aboutdfir.com/sof-elk-and-integration-with-kape/ ).

Question : by how many order of magnitudes is your excellent rust evtx parser faster than this custom C# implementation ? ( https://github.com/EricZimmerman/evtx/blob/master/evtx/EventLog.cs ) Thanks !
There's not much metrics, just a screenshot on https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html mentioning parsing 260 records in 0.5546s.

Cheers ! ( And thank you very much for this excellent piece of work )

[omerbenamram]

Hey! I think EvtxECmd is a great tool, it's a little bit more bespoke and has some cool feature like the maps and better CSV support. In terms of performance this tool is significantly faster.

TL;DR - 10x-100x of performance difference, depends on if we consider multithreading fair game.

I've build a release binary, using dotnet core 6 on Ubuntu 24.04.

For parsing https://github.com/omerbenamram/evtx/blob/master/samples/security_big_sample.evtx

EvtxECmd takes about 16-20 seconds (I've ran it a few times, it's a little sensitive to filesystem/cache timings).

omerba in 🌐 omer-pc in EvtxECMD on  master [?] on ☁️  [email protected] took 1m3s 
❯ ./EvtxECmd/bin/Release/net6.0/EvtxECmd -f ../evtx/samples/security_big_sample.evtx --json /tmp/jsonout
EvtxECmd version 1.5.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/evtx

Command line: -f ../evtx/samples/security_big_sample.evtx --json /tmp/jsonout

json output will be saved to /tmp/jsonout/20241112173717_EvtxECmd_Output.json

Maps directory /home/omerba/Workspace/EvtxECMD/EvtxECmd/bin/Release/net6.0/Maps does not exist! Event ID maps will not be loaded!!

Processing /home/omerba/Workspace/evtx/samples/security_big_sample.evtx...
Chunk count: 481, Iterating records...

Event log details
Flags: None
Chunk count: 481
Stored/Calculated CRC: 9366A7DE/9366A7DE
Earliest timestamp: 2016-10-06 01:47:07.1663024
Latest timestamp:   2016-10-07 09:38:24.7494104
Total event log records found: 62,031

Records included: 62,031 Errors: 0 Events dropped: 0

Metrics (including dropped events)
Event ID        Count
1102            1
4624            3,648
4634            3,642
4648            27
4656            151
4658            129
4661            11
4662            32
4672            2,814
4673            2
4688            382
4689            383
4696            191
4698            1
4720            1
4722            1
4724            1
4728            1
4737            1
4738            2
4768            37
4769            344
4770            31
4776            14
4780            1
4800            4
4801            4
4802            4
4803            4
4985            2
5140            1,537
5152            9,310
5154            1
5156            22,517
5157            8,312
5158            8,488

Processed 1 file in 16.3789 seconds

evtx_dump takes around 200 miliseconds and produces the same number of records.

omerba in 🌐 omer-pc in EvtxECMD on  master [?] on ☁️  [email protected] took 2s 
❯ hyperfine './evtx_dump-v0.8.4-x86_64-unknown-linux-gnu -o jsonl ../evtx/samples/security_big_sample.evtx'
Benchmark 1: ./evtx_dump-v0.8.4-x86_64-unknown-linux-gnu -o jsonl ../evtx/samples/security_big_sample.evtx
  Time (mean ± σ):     197.2 ms ±   3.1 ms    [User: 3064.8 ms, System: 139.2 ms]
  Range (min … max):   193.9 ms … 203.4 ms    14 runs
 

omerba in 🌐 omer-pc in EvtxECMD on  master [?] on ☁️  [email protected] took 2s 
❯ ./evtx_dump-v0.8.4-x86_64-unknown-linux-gnu -o jsonl ../evtx/samples/security_big_sample.evtx  | wc -l
62031

The thing is EvtxECMD doesn't support any multi-threading though, so for an apples to apples comparison, if we limit evtx dump to a single thread, we run at about 1.7~ seconds for the file. Which is an order of magnitude from 17 seconds.

This makes sense since rust is significantly more resource efficient than C#. I believe this will be comparable also on windows, even though the dotnet runtime is probably a bit quicker there.

omerba in 🌐 omer-pc in EvtxECMD on  master [?] on ☁️  [email protected] 
❯ hyperfine './evtx_dump-v0.8.4-x86_64-unknown-linux-gnu -t 1 -o jsonl ../evtx/samples/security_big_sample.evtx'
Benchmark 1: ./evtx_dump-v0.8.4-x86_64-unknown-linux-gnu -t 1 -o jsonl ../evtx/samples/security_big_sample.evtx
  Time (mean ± σ):      1.814 s ±  0.252 s    [User: 1.796 s, System: 0.027 s]
  Range (min … max):    1.142 s …  2.001 s    10 runs

[59e5aaf4]

OK, thanks for the explanation. I had overlooked the "maps" part of EvtxECmd, it looks pretty relevant to standardise data. Right now having the raw-ish data shipped to some Splunk server with https://github.com/whikernel/evtx2splunk is good enough, while a little bit verbose. Correlating across different kind of logs can be a bit tricky though, given the variety of field names. That project I used mentions https://github.com/libyal/winevt-kb/ to rebuild messages out of raw data, but I could not really understand that winevt-kb project exposes its data, their doc is minimal.
Have a great day !