`dissect.target.plugins.os.windows.log.evt`¶

Module Contents¶

Classes¶

`WindowsEventlogsMixin`
`EvtPlugin`	Windows `.evt` event log plugin.

Attributes¶

`re_illegal_characters`
`EvtRecordDescriptor`
`EVT_GLOB`

dissect.target.plugins.os.windows.log.evt.re_illegal_characters¶

dissect.target.plugins.os.windows.log.evt.EvtRecordDescriptor¶

dissect.target.plugins.os.windows.log.evt.EVT_GLOB = '*.evt'¶

class dissect.target.plugins.os.windows.log.evt.WindowsEventlogsMixin¶

EVENTLOG_REGISTRY_KEY = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog'¶

LOGS_DIR_PATH = None¶

get_logs(filename_glob: str = '*') → list[pathlib.Path]¶

get_logs_from_dir(logs_dir: str, filename_glob: str = '*') → list[pathlib.Path]¶

get_logs_from_registry(filename_glob: str = '*') → list[pathlib.Path]¶

check_compatible() → None¶

class dissect.target.plugins.os.windows.log.evt.EvtPlugin(target: dissect.target.target.Target)¶

Bases: WindowsEventlogsMixin, dissect.target.plugin.Plugin

Windows .evt event log plugin.

LOGS_DIR_PATH = '%windir%/system32/config'¶

NEEDLE = b'LfLe'¶

CHUNK_SIZE = 65536¶

evt(log_file_glob: str = EVT_GLOB, logs_dir: str | None = None) → collections.abc.Iterator[EvtRecordDescriptor]¶

Parse Windows Eventlog files (*.evt).

Yields dynamically created records based on the fields in the event. At least contains the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The TimeCreated_SystemTime field of the event.
Provider_Name (string): The Provider_Name field of the event.
EventID (int): The EventID of the event.

scraped_evt() → collections.abc.Iterator[EvtRecordDescriptor]¶: Yields EVT log file records scraped from target disks.