evtx Log Description#
Location of evtx logs in Windows
%SystemRoot%\System32\Winevt\Logs\
The main logs include application, security, system logs, etc. The default size of the logs is 20484K (20M), and the exceeding part will overwrite expired logs.
The corresponding logs can be viewed through the built-in Event Viewer in Windows.
By randomly clicking on an event with ID 4624, the general content is as follows. Switching to the XML view allows you to view the XML format log.
evtx_dump#
Parsing evtx logs using tools
Download the corresponding version:
https://github.com/omerbenamram/evtx/releases
evtx_dump <evtx_file> dump in xml format
evtx_dump -o json <evtx_file> dump in json format
evtx_dump -f <output_file> -o json <input_file> output to specified file
Used in conjunction with fd (https://github.com/cha0ran/fd-zh), it is convenient for batch processing.
fd -e evtx -x evtx_dump -o jsonl dump all files with evtx extension into separate json files
fd -e evtx -x evtx_dump '{}' -f '{.}.xml create an xml file corresponding to evtx, and then put the content into the corresponding xml file
fd -a -e evtx | xargs -I input sh -c "evtx_dump -o jsonl input | jq --arg path "input" '. + {path: \$path}'"
-e: file extension
-a: search hidden files or directories
xargs -I input sh -c "command": pass the input variable and hand it over to the command for execution
jq --arg path "input" '. + {path: \$path}': append the path variable to the output json file
Extraction#
Extract EventID from evtx file
evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID'
Sort and count EventID
evtx_dump Security.evtx -o jsonl | jq '.Event.System.EventID' | sort | uniq
By checking the EventID, you can know the status of most logs in the current log. For example, 5379 represents events related to Microsoft Windows Defender antivirus software, which records the corresponding policy information of Windows Defender, indicating the regular scanning or updating status of Defender. 4625 represents login failure, and if there is only one log, it means there is no attempt to brute force login. 4672 represents administrator login, and logs of operations performed as an administrator will also be recorded as 4672, similar to sudo in Linux, with one sudo recording one log.
By comparing with the EventID, you can determine the impact of related events.
Extract multiple fields
evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID','.Event.System.Computer'
Event ID reference: Windows Emergency Response Manual Notes