:py:mod:`dissect.eventlog.evtx` =============================== .. py:module:: dissect.eventlog.evtx Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.eventlog.evtx.ElfChnk dissect.eventlog.evtx.Evtx Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.eventlog.evtx.log dissect.eventlog.evtx.evtx_def dissect.eventlog.evtx.c_evtx .. py:data:: log .. py:data:: evtx_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct EVTX_HEADER { char magic[8]; uint64 first_chunk; uint64 last_chunk; uint64 next_record_id; uint32 header_size; uint16 minor_version; uint16 major_version; uint16 header_block_size; uint16 num_chunks; char _padding[76]; uint32 flags; uint32 checksum; }; struct EVTX_CHUNK { char magic[8]; uint64 first_record_nr; uint64 last_record_nr; uint64 first_record_id; uint64 last_record_id; uint32 header_size; uint32 last_record_offset; uint32 free_space_offset; uint32 records_checksum; char _padding[64]; uint32 flags; uint32 checksum; uint32 string_offsets[64]; uint32 template_ptr[32]; }; struct EVTX_RECORD { uint32 signature; uint32 size; uint64 record_id; uint64 time_written; char data[size-28]; uint32 size_copy; }; """ .. raw:: html
.. py:data:: c_evtx .. py:class:: ElfChnk(d, path=None) .. py:attribute:: path :value: None .. py:attribute:: stream .. py:attribute:: header .. py:attribute:: empty .. py:attribute:: names .. py:attribute:: templates .. py:attribute:: data_offset :value: 0 .. py:method:: read(records=True) .. py:class:: Evtx(fh, path=None) Microsoft Event logs .. py:attribute:: path :value: None .. py:attribute:: fh .. py:attribute:: header .. py:attribute:: count :value: 0 .. py:method:: __iter__()