dissect.target.plugins.os.windows.log.evtx#

Module Contents#

Classes#

EvtxPlugin

Plugin for fetching and parsing Windows Eventlog Files (*.evtx)

Functions#

Attributes#

dissect.target.plugins.os.windows.log.evtx.re_illegal_characters#
dissect.target.plugins.os.windows.log.evtx.EVTX_GLOB = '*.evtx'#
class dissect.target.plugins.os.windows.log.evtx.EvtxPlugin(target)#

Bases: dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin, dissect.target.plugin.Plugin

Plugin for fetching and parsing Windows Eventlog Files (*.evtx)

RECORD_NAME = 'filesystem/windows/evtx'#
LOGS_DIR_PATH = 'sysvol/windows/system32/winevt/logs'#
NEEDLE = b'ElfChnk\x00'#
CHUNK_SIZE = 65536#
evtx(log_file_glob: str = EVTX_GLOB, logs_dir: Optional[str] = None) Generator[flow.record.Record, None, None]#

Return entries from Windows Event log files (*.evtx).

Windows Event log is a detailed record of system, security and application notifications. It can be used to diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter .evtx became the new standard.

Sources:

Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.

scraped_evtx() Generator[flow.record.Record, None, None]#

Return EVTX log file records scraped from target disks

dissect.target.plugins.os.windows.log.evtx.format_value(value: Any) Any#