From 369ea47f837d46c3ead48a7596b183560955a7aa Mon Sep 17 00:00:00 2001
From: Steffen Pohle <steffen@gulpe.de>
Date: Fri, 6 May 2022 11:15:04 +0200
Subject: [PATCH] field KEYWORD is actually named KEYWORDS in xml file.

---
 evtx2sql-convert2sql.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/evtx2sql-convert2sql.php b/evtx2sql-convert2sql.php
index d635a7c..414f645 100755
--- a/evtx2sql-convert2sql.php
+++ b/evtx2sql-convert2sql.php
@@ -153,8 +153,8 @@ function xmldefaulthandler($parser, $data) {
 		$emeta->eventid = $data;
 	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tEVENTRECORDID") <> false) {
 		$emeta->eventrecordid = $data;
-	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tKEYWORD") <> false) {
-		$emeta->keyword = $data;
+	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tKEYWORDS") <> false) {
+		$emeta->keywords = $data;
 	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tLEVEL") <> false) {
 		$emeta->level = $data;
 	} else if (strstr($xmlelement, "EVENT\tSYSTEM\tCOMPUTER") <> false) {