etl.etl

$ target-query <path/to/target> -f etl.etl

Details

Module	os.windows.log.etl.EtlPlugin
Output	records

Module documentation

Plugin for fetching and parsing Windows ETL Files (*.etl)

Function documentation

Return the contents of the ETL files generated at last boot and last shutdown.

An event trace log (.etl) file, also known as a trace log, stores the trace messages generated during one or more trace sessions. A trace session is period in which a trace provider (a component of a user-mode application or kernel-mode driver that uses Event Tracing for Windows (ETW) technology to generate trace messages or trace events) is generating trace messages.

References:

• https://www.hecfblog.com/2018/06/etw-event-tracing-for-windows-and-etl.html

• https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log

Yields dynamically created records based on the fields inside an ETL event. At least contains the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventType (string): The type of the event defined by the manifest file.