Convert Windows Event Log files to plain text

For a recent project I had to convert Windows Event Log files from a Windows machine to a plain text file. To accomplish this I used the EvtxParser tools from Andreas Schuster

It is a set of Perl files that you can run against the Event Log files.

Install EvtxParser

EvtxParser is written in Perl. So obviously, you need Perl. On Ubuntu you need the extra packages libdatetime-perl and libcarp-assert-perl.

sudo apt-get install libdatetime-perl libcarp-assert-perl

You also need to install two extra CPAN packages :

perl -MCPAN -e shell
install Digest::CRC
install Data::Hexify

Download EvtxParser :

wget http://computer.forensikblog.de/files/evtx/EvtxParser-current.zip
unzip EvtxParser-current.zip

This will result in a directory Parse-Evtx-x.x.x. The next step is to compile and install.

cd Parse-Evtx-1.1.1
perl Makefile.PL
make
sudo make install

On this machine, I have all the custom installed Perl code located in one specific location. Running EvtxParser resulted in an error.

Can't locate Parse/Evtx.pm in @INC (you may need to install the Parse::Evtx module) (@INC contains: /etc/perl /usr/local/lib/perl/5.18.2 /usr/local/share/perl/5.18.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.18 /usr/share/perl/5.18 /usr/local/lib/site_perl .) at ./evtxdump.pl line 51.

To solve this I have to set the PERL5LIB which will add the path to find the necessary libraries to the @INC variable.

export PERL5LIB=/usr/local/perl5sources/lib/perl5/

EvtxParser components

EvtxParser consists of these tools

• evtxdump.pl : transform an event log file into textual XML
• evtxinfo.pl : determines information about a Windows XML EventViewer Log
• evtxtemplates.pl : display the XML templates that are defined in a log file

Where do you find the Windows Event Log files?

The Event Log files are located in a directory

C:\Windows\System32\winevt\Logs

and they contain files like Application.evtx, Microsoft-Windows-Dhcp-Client%4Admin.evtx, Microsoft-Windows-UAC%4Operational.evtx, …

Either you have to mount the Windows partition in your Linux host running EvtxParser or copy them manually.

EvtxParser output

The output of running evtxdump.pl against the System log looks like this

./evtxdump.pl /var/www/WinLogs/Logs/System.evtx | head -n 40
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6011</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2014-02-24T20:58:02.0Z" />
<EventRecordID>1</EventRecordID>
<Channel>System</Channel>
<Computer>37L4247F27-25</Computer>
<Security /></System>
<EventData>
<Data>[0] 37L4247F27-25
[1] WIN-N4F92N5R9U7</Data>
<Binary></Binary></EventData></Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6009</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2014-02-24T20:58:02.0Z" />
<EventRecordID>2</EventRecordID>
<Channel>System</Channel>
<Computer>37L4247F27-25</Computer>
<Security /></System>
<EventData>
<Data>[0] 6.01.
[1] 7601
[2] Service Pack 1
[3] Multiprocessor Free
[4] 17514</Data>
<Binary></Binary></EventData></Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
...