Description of evtx logs#
Location of evtx logs on Windows
%SystemRoot%\System32\Winevt\Logs\
The main logs include application, security, system logs, etc. The default size of the logs is 20484K (20M), and any excess will overwrite expired logs.
You can view the corresponding logs using the built-in Event Viewer in Windows.
By randomly clicking on an event with ID 4624, the general content is as follows. Switching to XML view allows you to view the log in XML format.
evtx_dump#
Use this tool to parse evtx logs
Download the corresponding version:
https://github.com/omerbenamram/evtx/releases
evtx_dump <evtx_file> dump in XML format
evtx_dump -o json <evtx_file> dump in JSON format
evtx_dump -f <output_file> -o json <input_file> output to specified file
Use it with fd (https://github.com/cha0ran/fd-zh) for batch processing
fd -e evtx -x evtx_dump -o jsonl dump all files with .evtx extension to separate json files
fd -e evtx -x evtx_dump '{}' -f '{.}.xml' create an XML file corresponding to the evtx file, and then dump the content into the corresponding XML file
fd -a -e evtx | xargs -I input sh -c "evtx_dump -o jsonl input | jq --arg path "input" '. + {path: \$path}'"
-e: file extension
-a: search hidden files or directories
xargs -I input sh -c "command": pass the input variable and execute the command
jq --arg path "input" '. + {path: \$path}': append the path variable to the output json file
Extraction#
Extract EventID from evtx file
evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID'
Sort and count EventID
evtx_dump Security.evtx -o jsonl | jq '.Event.System.EventID' | sort | uniq
By checking the EventID, you can determine the status of most logs in the current log. For example, 5379 represents events related to Microsoft Windows Defender antivirus software, which records the corresponding policy information of Windows Defender, indicating the regular scanning or updating status of Defender. 4625 represents a failed login, and if there is only one log, it means there is no attempt to brute force login. 4672 represents an administrator login, and logs of operations performed with administrator privileges will also be recorded as 4672, similar to sudo in Linux, where each sudo records one log.
By comparing with the EventID, you can determine the impact of related events.
Extract multiple fields
evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID','.Event.System.Computer'
EvtxECmd#
EvtxECmd is a parsing tool for event log files (evtx) on Windows. It can generate output in standard CSV, XML, and JSON formats! It also supports custom mapping, handling locked files, and provides more features!
Usage#
Export content to a JSON file
EvtxECmd.exe -f C:\Users\lca\Desktop\Security.evtx --json .
As shown in the above image, parse Security.evtx and also count the number of EventIDs at the end of the output.
A JSON file is generated in the current directory, and you can use the jq tool to parse the contents of the JSON file.
cat 20240813012115_EvtxECmd_Output.json | jq . -c | jq '. | select(.EventId==4624)'
# . -c: . is a jq filter that represents the entire input. -c compresses the content into a compact JSON string format.
# . |: . represents the entire JSON object passed in earlier.
Extract specific fields, for example, extract the content of the MapDescription field from the log with ID 4624
cat 20240813012115_EvtxECmd_Output.json | jq . -c | jq '. | select(.EventId==4624) | "\(.MapDescription)"'
# \(.MapDescription): Extract the value of the MapDescription field from the filtered JSON object and output it as a string.
Filtering with jq is more about familiarizing yourself with the syntax of jq.
Event ID reference: Windows Emergency Response Manual Notes