dissect.target.plugins.os.windows.log.evtx

Module Contents

Classes

EvtxPlugin

Plugin for fetching and parsing Windows Eventlog Files (*.evtx)

Functions

format_value

Attributes

re_illegal_characters
EVTX_GLOB

dissect.target.plugins.os.windows.log.evtx.re_illegal_characters

dissect.target.plugins.os.windows.log.evtx.EVTX_GLOB = '*.evtx'

class dissect.target.plugins.os.windows.log.evtx.EvtxPlugin(target)

Bases: dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin, dissect.target.plugin.Plugin

Plugin for fetching and parsing Windows Eventlog Files (*.evtx)

RECORD_NAME = 'filesystem/windows/evtx'

LOGS_DIR_PATH = 'sysvol/windows/system32/winevt/logs'

NEEDLE = b'ElfChnk\x00'

CHUNK_SIZE = 65536

evtx(log_file_glob: str = EVTX_GLOB, logs_dir: Optional[str] = None) → Generator[flow.record.Record, None, None]

Return entries from Windows Event log files (*.evtx).

Windows Event log is a detailed record of system, security and application notifications. It can be used to diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter .evtx became the new standard.

Sources:

• https://www.techtarget.com/searchwindowsserver/definition/Windows-event-log

• https://serverfault.com/questions/441050/what-are-the-differences-between-windows-evt-and-evtx-log-files

Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.

scraped_evtx() → Generator[flow.record.Record, None, None]

Return EVTX log file records scraped from target disks

dissect.target.plugins.os.windows.log.evtx.format_value(value: Any) → Any