Retrieves information such as the event channel, event provider, event ID, and event operation and the like in the EVTX Windows event log file.


evtx-file [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameters
Path to Windows event log file. If you provided the zippath option, input the file path in the zip file.
Optional Parameters
Path to the ZIP file.


After running the evtx-file command, the output fields are as follows:

_timeDateTime at which the event occurred
computerStringComputer name
channelStringEvent channel
providerStringEvent provider
event_idIntegerEvent ID
taskIntegerEvent task
levelIntegerEvent level
record_idIntegerRecored ID
msgStringEvent message
event_dataMapEvent data


  1. Retrieve information by providing the file path.

    evtx-file /testdata/evtx/System.evtx
  2. Retrieve information when the zippath option is provided.

    evtx-file zippath=/testdata/evtx.zip evtx/System.evtx
  3. Retrieve an event whose event provider is MySQL.

    evtx-file /testdata/evtx/application.evtx
    | search provider=="MySQL"
  4. Replace the event message (msg field) with lookup.

    evtx-file /testdata/evtx/application.evtx
    | mpsearch msg [ lookuptable EVTX_WHITE ]
    | search len(_mp_result) == 0