banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Windows XML Event Log (EVTX) Parsing

#应急响应611
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This text provides information about evtx logs in Windows. It mentions the location of evtx logs, which includes application, security, and system logs. The logs have a default size of 20MB and can be viewed using the Windows Event Viewer. The text also mentions a tool called evtx_dump, which can be used to parse evtx logs. It provides instructions on how to download and use the tool, including converting the logs to XML or JSON format. The text also mentions using the tool in combination with fd for batch processing. It provides examples of extracting EventIDs from evtx files and sorting and counting them. Finally, it mentions that EventIDs can be used to determine the status of logs and provides examples of different EventIDs and their meanings.

evtx Log Description#

Location of evtx logs in Windows

%SystemRoot%\System32\Winevt\Logs\

image.png

The main logs include application, security, system logs, etc. The default size of the logs is 20484K (20M), and the exceeding part will overwrite expired logs.

The corresponding logs can be viewed through the built-in Event Viewer in Windows.

image.png

By randomly clicking on an event with ID 4624, the general content is as follows. Switching to the XML view allows you to view the XML format log.

image.png

evtx_dump#

Parsing evtx logs using tools

Download the corresponding version:

https://github.com/omerbenamram/evtx/releases

evtx_dump <evtx_file> dump in xml format

evtx_dump -o json <evtx_file> dump in json format

evtx_dump -f <output_file> -o json <input_file> output to specified file

Used in conjunction with fd (https://github.com/cha0ran/fd-zh), it is convenient for batch processing.

fd -e evtx -x evtx_dump -o jsonl dump all files with evtx extension into separate json files

fd -e evtx -x evtx_dump '{}' -f '{.}.xml create an xml file corresponding to evtx, and then put the content into the corresponding xml file

fd -a -e evtx | xargs -I input sh -c "evtx_dump -o jsonl input | jq --arg path "input" '. + {path: \$path}'"

-e: file extension
-a: search hidden files or directories
xargs -I input sh -c "command": pass the input variable and hand it over to the command for execution
jq --arg path "input" '. + {path: \$path}': append the path variable to the output json file

Extraction#

Extract EventID from evtx file

evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID'

Sort and count EventID

evtx_dump Security.evtx -o jsonl | jq '.Event.System.EventID' | sort | uniq

image.png

By checking the EventID, you can know the status of most logs in the current log. For example, 5379 represents events related to Microsoft Windows Defender antivirus software, which records the corresponding policy information of Windows Defender, indicating the regular scanning or updating status of Defender. 4625 represents login failure, and if there is only one log, it means there is no attempt to brute force login. 4672 represents administrator login, and logs of operations performed as an administrator will also be recorded as 4672, similar to sudo in Linux, with one sudo recording one log.

By comparing with the EventID, you can determine the impact of related events.

Extract multiple fields

evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID','.Event.System.Computer'

Event ID reference: Windows Emergency Response Manual Notes

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.