:py:mod:`dissect.target.plugins.os.windows.log.evtx`
====================================================

.. py:module:: dissect.target.plugins.os.windows.log.evtx




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.log.evtx.EvtxPlugin



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.target.plugins.os.windows.log.evtx.format_value
   dissect.target.plugins.os.windows.log.evtx.unique_key



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.log.evtx.re_illegal_characters
   dissect.target.plugins.os.windows.log.evtx.EVTX_GLOB


.. py:data:: re_illegal_characters

.. py:data:: EVTX_GLOB
   :value: '*.evtx'


.. py:class:: EvtxPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin`, :py:obj:`dissect.target.plugin.Plugin`


   Plugin for fetching and parsing Windows Eventlog Files (``*.evtx``).


   .. py:attribute:: RECORD_NAME
      :value: 'filesystem/windows/evtx'



   .. py:attribute:: LOGS_DIR_PATH
      :value: '%windir%/system32/winevt/logs'



   .. py:attribute:: NEEDLE
      :value: b'ElfChnk\x00'



   .. py:attribute:: CHUNK_SIZE
      :value: 65536



   .. py:method:: evtx(log_file_glob: str = EVTX_GLOB, logs_dir: str | None = None) -> collections.abc.Iterator[dissect.target.helpers.record.DynamicDescriptor]

      Return entries from Windows Event log files (``*.evtx``).

      Windows Event log is a detailed record of system, security and application notifications. It can be used to
      diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter ``.evtx``
      became the new standard.

      .. rubric:: References

      - https://www.techtarget.com/searchwindowsserver/definition/Windows-event-log
      - https://serverfault.com/questions/441050/what-are-the-differences-between-windows-evt-and-evtx-log-files

      Yields dynamically created records based on the fields in the event.
      At least contains the following fields:

      .. code-block:: text

          hostname (string): The target hostname.
          domain (string): The target domain.
          ts (datetime): The TimeCreated_SystemTime field of the event.
          Provider_Name (string): The Provider_Name field of the event.
          EventID (int): The EventID of the event.



   .. py:method:: scraped_evtx() -> collections.abc.Iterator[dissect.target.helpers.record.DynamicDescriptor]

      Return EVTX log file records scraped from target disks.



.. py:function:: format_value(value: Any) -> Any

.. py:function:: unique_key(key: str, dictionary: dict[str, Any], count: int | None = None) -> str

   Return a unique key for a given dict of key value pairs.

   Makes the returned key unique by appending an incrementing integer after the given key name (e.g. ``key_2``).
   Search is case sensitive so provide lower-cased ``key`` and ``dictionary`` arguments if case-insensitiveness
   is desired.