EVTX

Parses Windows XML Event Log (EVTX) files.

Note

The feature is available as a preview.

Syntax:

LIST(...) | EVTX()

The command fetches the content of all the files specified in the output of LIST command, decompresses the data when needed, parses it and sends resulting structured record stream to its output.

Example: looking what’s inside of Application event log:

1
2
LIST('file:/C:/Windows/System32/winevt/Logs/Application.evtx')
| EVTX()

The default location of event logs on Windows Vista/2008 and newer is C:\Windows\System32\winevt\Logs\. The EVTX files in this folder by default are read-accessible to users in Administrators, EventLog and SYSTEM groups. To read the files in SpectX, the OS user the SpectX has been set up to run on the local system is required either to be a member of any of the above groups, or to be granted read permissions on the files any other way.

Processing

The processing (i.e retrieval of raw data, decompression, and parsing) by several independent tasks gets executed in parallel. The number of simultaneously running tasks is restricted by a value of query.max_tasks query configuration parameter.

The number of tasks is determined mainly by the number of compressed source evtx files, if any, and number of the chunks the source non-compressed evtx files are split into (chunk size is 32MB). Each task fetches its non-compressed chunk or compressed file from the specified source, performs the decompression if needed, and extracts and transforms data elements to the stream of structured records.

Record format

The following fields are always present in the records:

Field Name Data Type Description
TimeCreated
Event[System][TimeCreated][@SystemTime]
EventID
Event[System][EventID][#value]
Level
Event[System][Level]
Level_
decoded Event[System][Level]
Task
Event[System][Task]
Opcode
Event[System][Opcode]
EventRecordID
Event[System][EventRecordID]
Computer
Event[System][Computer]
Channel
Event[System][Channel]
ProviderName
Event[System][Provider][@Name]
UserID
Event[System][Security][@UserID]
EventData
Event[EventData]

Fields with name ending with underscore sign (“_”) contain decoded value of it’s counterpart field with name without underscore in the end (EventID, Level, Task, Opcode, Keywords, UserID, Message). It is not always possible to make proper decoding, so we recommend to treat these decoded values as informational and rather rely on original values.

The following fields are possible to select additionally:

Field Name Data Type Description
ProviderGuid
Event[System][Provider][@Guid]
ProviderEventSourceName
Event[System][Provider][@EventSourceName]
Qualifiers
Event[System][EventID][@Qualifiers]
Version
Event[System][Version]
Keywords
Event[System][Keywords]
ActivityID
Event[System][Correlation][@ActivityID]
RelatedActivityID
Event[System][Correlation][@RelatedActivityID]
ProcessID
Event[System][Execution][@ProcessID]
ThreadID
Event[System][Execution][@ThreadID]
ProcessorID
Event[System][Execution][@ProcessorID]
KernelTime
Event[System][Execution][@KernelTime]
ProcessorTime
Event[System][Execution][@ProcessorTime]
UserTime
Event[System][Execution][@UserTime]
SessionID
Event[System][Execution][@SessionID]
System
Event[System]
UserData
Event[UserData]
ProcessingErrorData
Event[ProcessingErrorData]
Event
Event from EVTX BinXml
EventOther
Event without System, EventData, UserData
and ProcessingErrorData
Message_
decoded Event[System][EventID][#value]
TimeLogged
The time the event record was logged

Example: selecting certain fields from records in Security event log:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
LIST('file:/C:/Windows/System32/winevt/Logs/Security.evtx')
| EVTX()
| SELECT(
        TimeCreated,
        EventID,
        EventData[SubjectUserName] as subjectUser,
        Computer,
        ActivityID,
        ProcessID
  )