Perhaps I'm missing it, but when I open EVTX logs, I don't seem to be able to find important information such as the EventID

We'd like to use LogViewPlus to review Windows Event Logs but we must have access to things like the Event ID.  Here is an example with a few system names redacted)

It seems that items in the System section that I changed to red are only partially visible in LogView Plus. Missing are EventID, Task, EventRecordID etc.

Windows Event Viewer
- System

- Provider

 [ Name] Microsoft-Windows-Security-Auditing
 [ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}

 EventID 4627

 Version 0

 Level 0

 Task 12554

 Opcode 0

 Keywords 0x8020000000000000

- TimeCreated

 [ SystemTime] 2023-07-27T08:57:11.7157887Z

 EventRecordID 1258569507

 Correlation

- Execution

 [ ProcessID] 796
 [ ThreadID] 4624

 Channel Security

 Computer <REDACTED>

 Security


- EventData

SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-88556453-236079572-1039276024-9947
TargetUserName LUS14$
TargetDomainName <REDACTED>
TargetLogonId 0x185ebff4
LogonType 3
EventIdx 1
EventCountTotal 1
GroupMembership %{S-1-5-21-88556453-236079572-1039276024-515} %{S-1-1-0} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-5-21-88556453-236079572-1039276024-8380} %{S-1-16-8448}


Here it is within LogViewPlus

2023-07-27T04:57:11 Information [<Redacted>Security.Microsoft-Windows-Security-Auditing] Group membership information.

Subject:
    Security ID:        S-1-0-0
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Type:            3

New Logon:
    Security ID:        S-1-5-21-88556453-236079572-1039276024-9947
    Account Name:        LUS14$
    Account Domain:       <REDACTED>
    Logon ID:        0x185EBFF4

Event in sequence:        1 of 1

Group Membership:            
        %{S-1-5-21-88556453-236079572-1039276024-515}
        %{S-1-1-0}
        %{S-1-5-32-554}
        %{S-1-5-2}
        %{S-1-5-11}
        %{S-1-5-15}
        %{S-1-18-1}
        %{S-1-5-21-88556453-236079572-1039276024-8380}
        %{S-1-16-8448}

Hi Tim,

That is an excellent point.  Thanks for highlighting this.  You are absolutely right that this information needs to be available as separate columns within LogViewPlus.  This is not currently available and frankly I am not sure why - they should be there.

We have a new release of LogViewPlus coming out in the next few days.  Once this release is complete, we will be giving Windows Event Logs a lot more attention.  We think being able to analyse Windows Event Logs with the LogViewPlus SQL engine will be really powerful.  We want to include prebuilt dashboards similar to our current Web Log and Java GC solutions (currently in BETA).  A key step in that process will be adding some of the fields you highlighted above.

This Windows Event Log release should be out in January.  If you have any suggests or ideas for what you would like to see when you open a Windows Event Log, please do let us know.

Thanks again,

Toby

Okay, thanks! And at least I'm not crazy.  I did try to read the manual and look through this support forum before making my claim.  I'm glad you confirmed I didn't miss anything obvious.

Honestly I don't yet have any suggestions other than the just making all the eventlog data fields available to us

We're just now expanding our use of LogView beyond the primarily basic Syslogs and MTA Spam filter logs.  We're now expanding our templates and parsers as we implement larger scale use across our team and applications.

I had never used the EVTX portion of LogView until a few weeks ago where we had to go through 6 months of Windows Security Audit logs due to a rogue Active Directory Administrator.  Even with the missing EventID, LogView saved us a ton of time.  It made short work of searching the millions of event log records so we could prove to management what this Admin did.  Thank you

> It made short work of searching the millions of event log records

Awesome!  Glad to hear you are finding LogViewPlus helpful.   

I will keep you posted about the next BETA release.  I think there is a lot more that we could be doing to make Windows Event logs easier to understand.