Conversation
|
as a drive-by user, it would be convenient if there were a demo evtx file that could be loaded from the file menu. this would make the tool easier to evaluate, since i don't have to find an evtx file (especially on mobile). (feel free to ignore) |
|
hey @williballenthin ! though about this haha, may include a small one to showcase which loads dynamically to not blow up bundle size. This really shines with larger files though. let me know what your thoughts are if you get a chance to try it :) |
|
@williballenthin decided to add a small sample anyways :) was just one cursor request away. have fun! |
|
thanks, its great! I love the include/exclude/add to column actions. |
|
duckdb is insanely performant - so that's the reason it's possible to do this while maintaining facet counts on zillion lines logs. glad you liked it! |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a full browser-based EVTX log viewer powered by a Rust-compiled WASM parser and DuckDB via Apache Arrow, wrapped in a React single-page application.
- Adds
evtx-wasmcrate with WASM bindings for EVTX parsing and Arrow IPC serialization - Provides
run_viewer.shto build the WASM module and launch a Vite dev server - Implements a React SPA with global state, virtualization, theming, and a suite of Windows-style UI components
Reviewed Changes
Copilot reviewed 78 out of 82 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/lib.rs | Re-exported file header types to support WASM viewer binding |
| run_viewer.sh | Shell script for building the WASM crate and starting Vite |
| evtx-wasm/src/lib.rs | Core WASM bindings & parsing logic for EVTX files |
| evtx-wasm/evtx-viewer/vite.config.ts | Vite configuration for serving/building the React viewer |
Comments suppressed due to low confidence (1)
evtx-wasm/src/lib.rs:71
- This function lacks dedicated unit tests to verify bucket counts across various record scenarios. Consider adding tests for compute_buckets with sample EVTX blobs to ensure correct bucket computation and error handling.
pub fn compute_buckets(data: &[u8]) -> Result<JsValue, JsError> {
| } | ||
|
|
||
| /** Build a SQL WHERE clause from current filters */ | ||
| export function buildWhere(filters: FilterOptions): string { |
There was a problem hiding this comment.
The current implementation constructs SQL WHERE clauses via string interpolation, which may be vulnerable to injection if filter values contain quotes or unexpected characters. Consider using parameterized queries or a SQL builder API to safely bind values.
| @@ -0,0 +1,343 @@ | |||
| import { useCallback, useEffect, useMemo, useRef, useState } from "react"; | |||
There was a problem hiding this comment.
[nitpick] This file is over 300 lines and handles multiple concerns. Consider refactoring parts (e.g., hook logic, helper functions) into smaller modules to improve readability and maintainability.
| display: inline-block; | ||
| `; | ||
|
|
||
| const ToggleButton = styled.button<{ $disabled?: boolean }>` |
There was a problem hiding this comment.
The toggle button does not include ARIA attributes (e.g., aria-haspopup, aria-expanded) for accessibility. Consider adding ARIA roles and states to improve screen-reader support.
try CI tsconfig try ci again
small sidebar fixes rules
rust! fix cargo flag Fix chunk_arrow_ipc call to preserve this binding in strict mode filters fix lint support JSON filters remove old code just use duckdb for everything update import event detail state file switch state lint cleanup removed dynamic shit smarter ingest tracking
components cleanup loading for wasm assets wording removed old bucketCounts state break down sidebar move to reducer slices breakdown mega hook make sure file dragged shows immediatly new rule
… an Example Logs folder with security.evtx sample. File is fetched on demand. Dev scripts symlink sample; CI copies sample into public.
… works fix(viewer): build sample URL using import.meta.env.BASE_URL for pages sub-path fix(viewer): robust sample URL concat when BASE_URL undefined
…bal state fix time
…d formatting\n\nIntroduces a new `formatTimeValue` utility for better timestamp display in the LogTable. The time column now supports adaptive time-bucket grouping based on data span, improving filtering and visualization. Updates to the filter menu ensure timestamps are displayed in a user-friendly format.
omerbenamram
force-pushed
the
wasm-viewer
branch
from
7a1aa3c to
3c94e7d
Compare
https://omerbenamram.github.io/evtx/
This is kind of an advanced clone of the windows event explorer that runs entirely in browser. it uses duckdb compiled to WASM along with the WASM version of the parser to stream chunks over IPC using apache arrow to parse and filter logs in lightning speed.
It was also a chance for me to experiment with native like react single page apps.