Help Required: JNA code for EVTX parsing fails in Linux but works in Windows

[MSK]

Hello,

 

 I am sending an email to this forum with the assumption that this is the correct place for any questions on JNA usage. Kindly let me know the correct forum to reach out to if it is otherwise.

 

Scenario:

I am currently using the JNA code from GITHUB(https://github.com/java-native-access) to parse an evtx file. I am successfully able to parse the file and generate a CSV file out of it. The same code fails with the below error when used in Linux.

 

Logs

Looking in classpath from sun.misc.Launcher$AppClassLoader@33909752 for /com/sun/jna/linux-x86-64/libjnidispatch.so

Found library resource at jar:file:/home/user/parser/data-parser.jar!/com/sun/jna/linux-x86-64/libjnidispatch.so

Looking for library 'wevtapi'

Adding paths from jna.library.path: null

Trying libwevtapi.so

Adding system paths: [/usr/lib64, /lib64, /usr/lib, /lib, /usr/lib64/dyninst, /usr/lib64/mysql]

Trying libwevtapi.so

Looking for version variants

Looking in classpath from sun.misc.Launcher$AppClassLoader@33909752 for wevtapi

Exception in thread "main" java.lang.UnsatisfiedLinkError: Unable to load library 'wevtapi': Native library (linux-x86-64/libwevtapi.so) not found in resource path ([file:/home/user/parser/data-parser.jar])

        at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:303)

        at com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:427)

        at com.sun.jna.Library$Handler.<init>(Library.java:179)

        at com.sun.jna.Native.loadLibrary(Native.java:569)

        at com.sun.jna.platform.win32.Wevtapi.<clinit>(Wevtapi.java:41)

 

Java Version: jdk1.8.0_91

Dependent Jars: jna-4.5.1.jar & jna-platform-4.5.1.jar. Tried few other versions of the jar as well.

 

LINUX Version: Red Hat 4.8.5-11 - Linux version 3.10.0-514.26.2.el7.x86_64

 

Options tried out (not sure if this is correct approach)

I did see few reference links in github (frequently asked questions) and stackoverflow for the mentioned error, but did not find any luck so far in fixing the issue.

We did try downloading wevtapi.dll.so from wine. Though the exact file was not available we had to rename the wevtapi file to libwevtapi.so. After this we get the below error:

Exception in thread "main" java.lang.IllegalArgumentException: Unrecognized calling convention: 63

        at com.sun.jna.Native.invokePointer(Native Method)

        at com.sun.jna.Function.invokePointer(Function.java:490)

        at com.sun.jna.Function.invoke(Function.java:434)

        at com.sun.jna.Function.invoke(Function.java:354)

        at com.sun.jna.Library$Handler.invoke(Library.java:244)

        at com.sun.proxy.$Proxy0.EvtQuery(Unknown Source)

 

Can you kindly help or provide any pointers? Any help is greatly appreciated. Thank you!

 

Regards,

MSK

[Matthias Bläsing]

Hi MSK,

Am Dienstag, den 29.05.2018, 16:47 -0700 schrieb MSK:
> Scenario:
> I am currently using the JNA code from GITHUB(https://github.com/java
> -native-access) to parse an evtx file. I am successfully able to
> parse the file and generate a CSV file out of it. The same code fails
> with the below error when used in Linux.
>

> Exception in thread "main" java.lang.UnsatisfiedLinkError: Unable to
> load library 'wevtapi': Native library (linux-x86-64/libwevtapi.so)
> not found in resource path ([file:/home/user/parser/data-parser.jar])
> at
> com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:303)
> at
> com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:427)
> at com.sun.jna.Library$Handler.<init>(Library.java:179)
> at com.sun.jna.Native.loadLibrary(Native.java:569)
> at
> com.sun.jna.platform.win32.Wevtapi.<clinit>(Wevtapi.java:41)
>

you need to understand what JNA does and what is does not. JNA is the
acronym for:

Java Native Access

and enables you to call into native libraries from within Java.

The Eventlog parsing you are using in JNA comes from a windows system
library and won't work on other platforms.

HTH

Matthias

[MSK]

Hello Matthias,

 

 Thank you so much for your reply! I am pretty much new to JNA forum and still catching-up on things. It will be great if you can kindly answer the below questions:

 

1) I totally agree with you that the parser I sent across is referring windows related libraries. Can you please let me know if the code can be modified to run from Linux OS? (In the supported platform they do talk a bit about Linux - JNA is built and tested on Mac OS X, Microsoft Windows, FreeBSD / OpenBSD, Solaris, Linux, AIX, Windows Mobile, and Android. It is also possible to tweak and recompile the native build configurations to make it work on most other platforms that run Java.)

 

2) If the answer to question #1 is yes, can you please provide some pointers about the code or steps for the implementation or do you have any sample? All I want to do is read the evtx file from Linux system using java code and extract few fields like eventid, sourceipaddress, detinationip address and few other fields.

 

Any help is greatly appreciated. Thank you!

 

Regards,

MSK

[Matthias Bläsing]

Hi,

I'll repeat: jna only allows you to call native libraries. jna-platform
holds pre-build bindings. One of these is the windows event log parser.
That library is from microsoft and I would not expect it to be present
on non-windows, non-x86 systems.

You'll need an real parser (implemented in java) - the file format is
reverse engineered here:

https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc

HTH

Matthias

> --
> You received this message because you are subscribed to the Google
> Groups "Java Native Access" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to jna-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[MSK]

Thank you Matthias!