Description of evtx logs#
Location of evtx logs in Windows
%SystemRoot%\System32\Winevt\Logs\
The main logs include application, security, system logs, etc. The default size of the logs is 20484K (20M), and any excess will overwrite expired logs.
You can view the corresponding logs using the built-in Event Viewer in Windows.
By randomly clicking on an event with ID 4624, the general content is as follows. Switching to XML view allows you to view the log in XML format.
evtx_dump#
Parsing evtx logs using a tool
Download the corresponding version:
https://github.com/omerbenamram/evtx/releases
evtx_dump <evtx_file> dumps in XML format
evtx_dump -o json <evtx_file> dumps in JSON format
evtx_dump -f <output_file> -o json <input_file> outputs to a specified file
Used in conjunction with fd (https://github.com/cha0ran/fd-zh) for batch processing
fd -e evtx -x evtx_dump -o jsonl dumps all files with the evtx extension into separate json files
fd -e evtx -x evtx_dump '{}' -f '{.}.xml' creates an xml file corresponding to the evtx file, and then dumps the content into the corresponding xml file
fd -a -e evtx | xargs -I input sh -c "evtx_dump -o jsonl input | jq --arg path 'input' '. + {path: \$path}'"
-e: file extension
-a: search hidden files or directories
xargs -I input sh -c "command": pass the input variable and execute it with the command
jq --arg path 'input' '. + {path: \$path}': append the path variable to the output json file
Extraction#
Extract EventID from evtx file
evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID'
Sort and count the EventID
evtx_dump Security.evtx -o jsonl | jq '.Event.System.EventID' | sort | uniq
By viewing the EventID, you can determine the status of most logs in the current log. For example, 5379 represents events related to Microsoft Windows Defender antivirus software. This event records the corresponding policy information of Windows Defender, indicating the regular scanning or update status of Defender. 4625 represents a failed login, and if there is only one log, it means there is no attempt to brute force the login. 4672 represents an administrator login, and logs of operations performed with administrator privileges will also be recorded as 4672, similar to sudo in Linux, where each sudo records one log.
By comparing with the EventID, you can determine the impact of related events.
Extract multiple fields
evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID','.Event.System.Computer'
Event ID reference: Windows Emergency Response Manual Notes