evtx-file
Parses EVTX (Windows XML Event Log) format Windows event log files and retrieves records. Converts system information, event data, messages, and other content in the event log into structured fields for output.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the EVTX file. Use this to query EVTX files directly inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries (default:
utf-8)
Target
FILE_PATH- Path to the EVTX file to query. You can use a wildcard (
*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_file | string | EVTX file name |
_time | timestamp | Event creation time |
computer | string | Name of the computer that generated the event |
channel | string | Event channel name (e.g., System, Security, Application) |
provider | string | Event provider name |
event_id | long | Event identifier |
task | long | Event task category |
level | long | Event severity. 0: LogAlways, 1: Critical, 2: Error, 3: Warning, 4: Information, 5: Verbose |
record_id | long | Event record identifier |
msg | string | Event message. The result of applying a message template based on the event provider and event identifier |
event_data | object | Event data. Contains detailed data from the event as key-value pairs. |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-processing |
|---|---|---|---|
| - | cannot load evtx file | Unable to read the EVTX file | Stops query execution |
Description
The evtx-file command parses the specified EVTX file in binary XML format and converts each event record into structured fields. It extracts metadata such as provider, event ID, channel, and computer name from the System section of the event log, and extracts event detail data from the EventData or UserData section.
Event message templates are looked up using the key provider:eventID format from the built-in message map and the evtx-message lookup table. Messages registered in the lookup table take precedence over built-in messages. When a message template exists, event data values are substituted and assigned to the msg field. When no message template exists and the event data is a single value, that value is assigned to the msg field.
Key names in the event_data field are automatically converted from CamelCase to snake_case. For example, SubjectUserName becomes subject_user_name.
To query EVTX files inside a ZIP archive, specify the ZIP file path in the zippath option and specify the path to the EVTX file inside the ZIP as the target.
Examples
-
Query an EVTX file
evtx-file /opt/logpresso/evidence/System.evtxRetrieves all event records from the EVTX file at the specified path.
-
Query multiple EVTX files using a wildcard
evtx-file /opt/logpresso/evidence/*.evtxRetrieves event records from all EVTX files in the specified directory.
-
Query an EVTX file inside a ZIP archive
evtx-file zippath=/opt/logpresso/evidence/logs.zip System.evtxRetrieves event records from the
System.evtxfile inside the ZIP archive. -
Filter by a specific event ID
evtx-file /opt/logpresso/evidence/Security.evtx | search event_id == 4624Filters only successful logon events (event ID 4624) from the security event log.