|
Group: Forum Members
Posts: 5,
Visits: 14
|
Perhaps I'm missing it, but when I open EVTX logs, I don't seem to be able to find important information such as the EventID
We'd like to use LogViewPlus to review Windows Event Logs but we must have access to things like the Event ID. Here is an example with a few system names redacted)
It seems that items in the System section that I changed to red are only partially visible in LogView Plus. Missing are EventID, Task, EventRecordID etc.
Windows Event Viewer
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4627
Version 0
Level 0
Task 12554
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2023-07-27T08:57:11.7157887Z
EventRecordID 1258569507
Correlation
- Execution
[ ProcessID] 796
[ ThreadID] 4624
Channel Security
Computer <REDACTED>
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-88556453-236079572-1039276024-9947
TargetUserName LUS14$
TargetDomainName <REDACTED>
TargetLogonId 0x185ebff4
LogonType 3
EventIdx 1
EventCountTotal 1
GroupMembership %{S-1-5-21-88556453-236079572-1039276024-515} %{S-1-1-0} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-5-21-88556453-236079572-1039276024-8380} %{S-1-16-8448}
Here it is within LogViewPlus
2023-07-27T04:57:11 Information [<Redacted>Security.Microsoft-Windows-Security-Auditing] Group membership information.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-21-88556453-236079572-1039276024-9947
Account Name: LUS14$
Account Domain: <REDACTED>
Logon ID: 0x185EBFF4
Event in sequence: 1 of 1
Group Membership:
%{S-1-5-21-88556453-236079572-1039276024-515}
%{S-1-1-0}
%{S-1-5-32-554}
%{S-1-5-2}
%{S-1-5-11}
%{S-1-5-15}
%{S-1-18-1}
%{S-1-5-21-88556453-236079572-1039276024-8380}
%{S-1-16-8448}
|