Section 3 - Windows Event Log Parsing

Section 3.1 - Opening an Event Log

Example for opening EVTX files.

Demonstrates how to open an EVTX file and get basic details about the event log. This section makes use of python-evtx, a python library for reading event log files. To install, run pip install python-evtx.

Other libraries for parsing these event logs exist and we welcome others to add snippets that showcase how to make use of them in reading EVTX files.

Example Usage:

$ python open_evtx.py System.evtx

References:

Open Windows Event Logs (EVTX)

This function shows an example of opening an EVTX file and parsing out several common parameters about the file.

def open_evtx(input_file):
    """Opens a Windows Event Log and displays common log parameters.

    Arguments:
        input_file (str): Path to evtx file to open
    """

    with evtx.Evtx(input_file) as open_log:
        header = open_log.get_file_header()
        properties = OrderedDict([
            ('major_version', 'File version (major)'),
            ('minor_version', 'File version (minor)'),
            ('is_dirty', 'File is ditry'),
            ('is_full', 'File is full'),
            ('next_record_number', 'Next record number')
        ])

        for key, value in properties.items():
            print(f"{value}: {getattr(header, key)()}")

Docstring References

open_evtx(input_file)

Opens a Windows Event Log and displays common log parameters.

Parameters

input_file (str) – Path to evtx file to open

Indices and tables