dissect.target.plugins.os.windows.log.evtx
#
Module Contents#
Classes#
Plugin for fetching and parsing Windows Eventlog Files (*.evtx) |
Functions#
Attributes#
- dissect.target.plugins.os.windows.log.evtx.re_illegal_characters#
- dissect.target.plugins.os.windows.log.evtx.EVTX_GLOB = '*.evtx'#
- class dissect.target.plugins.os.windows.log.evtx.EvtxPlugin(target)#
Bases:
dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin
,dissect.target.plugin.Plugin
Plugin for fetching and parsing Windows Eventlog Files (*.evtx)
- RECORD_NAME = 'filesystem/windows/evtx'#
- LOGS_DIR_PATH = 'sysvol/windows/system32/winevt/logs'#
- NEEDLE = b'ElfChnk\x00'#
- CHUNK_SIZE = 65536#
- evtx(log_file_glob: str = EVTX_GLOB, logs_dir: Optional[str] = None) Generator[flow.record.Record, None, None] #
Return entries from Windows Event log files (*.evtx).
Windows Event log is a detailed record of system, security and application notifications. It can be used to diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter .evtx became the new standard.
- Sources:
Yields dynamically created records based on the fields in the event. At least contains the following fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventID (int): The EventID of the event.
- scraped_evtx() Generator[flow.record.Record, None, None] #
Return EVTX log file records scraped from target disks
- dissect.target.plugins.os.windows.log.evtx.format_value(value: Any) Any #