banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Windows XML Event Log (EVTX) Parsing

Description of evtx logs#

Location of evtx logs on Windows

%SystemRoot%\System32\Winevt\Logs\

image.png

The main logs include application, security, system logs, etc. The default size of the logs is 20484K (20M), and any excess will overwrite expired logs.

You can view the corresponding logs using the built-in Event Viewer in Windows.

image.png

By randomly clicking on an event with ID 4624, the general content is as follows. Switching to XML view allows you to view the log in XML format.

image.png

evtx_dump#

Use this tool to parse evtx logs

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format

Download the corresponding version:

https://github.com/omerbenamram/evtx/releases

evtx_dump <evtx_file> dump in XML format

evtx_dump -o json <evtx_file> dump in JSON format

evtx_dump -f <output_file> -o json <input_file> output to specified file

Use it with fd (https://github.com/cha0ran/fd-zh) for batch processing

fd -e evtx -x evtx_dump -o jsonl dump all files with .evtx extension to separate json files

fd -e evtx -x evtx_dump '{}' -f '{.}.xml' create an XML file corresponding to the evtx file, and then dump the content into the corresponding XML file

fd -a -e evtx | xargs -I input sh -c "evtx_dump -o jsonl input | jq --arg path "input" '. + {path: \$path}'"

-e: file extension
-a: search hidden files or directories
xargs -I input sh -c "command": pass the input variable and execute the command
jq --arg path "input" '. + {path: \$path}': append the path variable to the output json file

Extraction#

Extract EventID from evtx file

evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID'

Sort and count EventID

evtx_dump Security.evtx -o jsonl | jq '.Event.System.EventID' | sort | uniq

image.png

By checking the EventID, you can determine the status of most logs in the current log. For example, 5379 represents events related to Microsoft Windows Defender antivirus software, which records the corresponding policy information of Windows Defender, indicating the regular scanning or updating status of Defender. 4625 represents a failed login, and if there is only one log, it means there is no attempt to brute force login. 4672 represents an administrator login, and logs of operations performed with administrator privileges will also be recorded as 4672, similar to sudo in Linux, where each sudo records one log.

By comparing with the EventID, you can determine the impact of related events.

Extract multiple fields

evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID','.Event.System.Computer'

EvtxECmd#

EvtxECmd is a parsing tool for event log files (evtx) on Windows. It can generate output in standard CSV, XML, and JSON formats! It also supports custom mapping, handling locked files, and provides more features!

Usage#

Export content to a JSON file

EvtxECmd.exe -f C:\Users\lca\Desktop\Security.evtx --json .

image

As shown in the above image, parse Security.evtx and also count the number of EventIDs at the end of the output.

image

A JSON file is generated in the current directory, and you can use the jq tool to parse the contents of the JSON file.

cat 20240813012115_EvtxECmd_Output.json | jq . -c | jq '. | select(.EventId==4624)'

# . -c: . is a jq filter that represents the entire input. -c compresses the content into a compact JSON string format.
# . |: . represents the entire JSON object passed in earlier.

Extract specific fields, for example, extract the content of the MapDescription field from the log with ID 4624

cat 20240813012115_EvtxECmd_Output.json | jq . -c | jq '. | select(.EventId==4624) | "\(.MapDescription)"'

# \(.MapDescription): Extract the value of the MapDescription field from the filtered JSON object and output it as a string.

Filtering with jq is more about familiarizing yourself with the syntax of jq.

Event ID reference: Windows Emergency Response Manual Notes

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.