Retrieves information such as the event channel, event provider, event ID, event operation and the like from an EVTX Windows event log file.


evtx-file [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
Path to the Windows event log file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\evtx\*.evtx). If you provided the zippath option, input the EVTX file path in the zip file.
Optional Parameter
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
Path to the ZIP file.


The output fields are as follows:

_timeDateTime at which the event occurred
computerStringComputer name
channelStringEvent channel
providerStringEvent provider
event_idIntegerEvent ID
taskIntegerEvent task
levelIntegerEvent level
record_idIntegerRecored ID
msgStringEvent message
event_dataMapEvent data


  1. Retrieve information by providing the file path.

    evtx-file D:\data\evtx\System.evtx
  2. Retrieve information when the zippath option is provided.

    evtx-file zippath=D:\data\evtx.zip evtx\System.evtx
  3. Retrieve an event whose event provider is MySQL.

    evtx-file D:\data\evtx\application.evtx
    | search provider=="MySQL"
  4. Retrieve events that do not match the EVTX_WHITE message pattern.

    evtx-file D:\data\evtx\application.evtx
    | mpsearch msg [ lookuptable EVTX_WHITE ]
    | search len(_mp_result) == 0