evtx-file

Retrieves information such as the event channel, event provider, event ID, event operation and the like from an EVTX Windows event log file.

Syntax

evtx-file [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
FILE_PATH
Path to the Windows event log file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\evtx\*.evtx). If you provided the zippath option, input the EVTX file path in the zip file.
Optional Parameters
zipcharset=CHARSET
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
zippath
Path to the ZIP file.

Description

The output fields are as follows:

FieldTypeDescription
_timeDateTime at which the event occurred
computerStringComputer name
channelStringEvent channel
providerStringEvent provider
event_idIntegerEvent ID
taskIntegerEvent task
levelIntegerEvent level
record_idIntegerRecored ID
msgStringEvent message
event_dataMapEvent data

Usage

  1. Retrieve information by providing the file path.

    evtx-file D:\data\evtx\System.evtx
    
  2. Retrieve information when the zippath option is provided.

    evtx-file zippath=D:\data\evtx.zip evtx\System.evtx
    
  3. Retrieve an event whose event provider is MySQL.

    evtx-file D:\data\evtx\application.evtx
    | search provider=="MySQL"
    
  4. Retrieve events that do not match the EVTX_WHITE message pattern.

    evtx-file D:\data\evtx\application.evtx
    | mpsearch msg [ lookuptable EVTX_WHITE ]
    | search len(_mp_result) == 0