Section 3 - Windows Event Log Parsing¶
Section 3.1 - Opening an Event Log¶
Example for opening EVTX files.
Demonstrates how to open an EVTX file and get basic details about the event log.
This section makes use of python-evtx, a python library for reading event log
files. To install, run pip install python-evtx.
Other libraries for parsing these event logs exist and we welcome others to add snippets that showcase how to make use of them in reading EVTX files.
Example Usage:
$ python open_evtx.py System.evtx
References:
Open Windows Event Logs (EVTX)¶
This function shows an example of opening an EVTX file and parsing out several common parameters about the file.
def open_evtx(input_file):
"""Opens a Windows Event Log and displays common log parameters.
Arguments:
input_file (str): Path to evtx file to open
"""
with evtx.Evtx(input_file) as open_log:
header = open_log.get_file_header()
properties = OrderedDict([
('major_version', 'File version (major)'),
('minor_version', 'File version (minor)'),
('is_dirty', 'File is ditry'),
('is_full', 'File is full'),
('next_record_number', 'Next record number')
])
for key, value in properties.items():
print(f"{value}: {getattr(header, key)()}")