By TimHum - 9 Dec 2023
Perhaps I'm missing it, but when I open EVTX logs, I don't seem to be able to find important information such as the EventID
We'd like to use LogViewPlus to review Windows Event Logs but we must have access to things like the Event ID. Here is an example with a few system names redacted)
It seems that items in the System section that I changed to red are only partially visible in LogView Plus. Missing are EventID, Task, EventRecordID etc.
Windows Event Viewer
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4627
Version 0
Level 0
Task 12554
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2023-07-27T08:57:11.7157887Z
EventRecordID 1258569507
Correlation
- Execution
[ ProcessID] 796
[ ThreadID] 4624
Channel Security
Computer <REDACTED>
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-88556453-236079572-1039276024-9947
TargetUserName LUS14$
TargetDomainName <REDACTED>
TargetLogonId 0x185ebff4
LogonType 3
EventIdx 1
EventCountTotal 1
GroupMembership %{S-1-5-21-88556453-236079572-1039276024-515} %{S-1-1-0} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-5-21-88556453-236079572-1039276024-8380} %{S-1-16-8448}
Here it is within LogViewPlus
2023-07-27T04:57:11 Information [<Redacted>Security.Microsoft-Windows-Security-Auditing] Group membership information.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-21-88556453-236079572-1039276024-9947
Account Name: LUS14$
Account Domain: <REDACTED>
Logon ID: 0x185EBFF4
Event in sequence: 1 of 1
Group Membership:
%{S-1-5-21-88556453-236079572-1039276024-515}
%{S-1-1-0}
%{S-1-5-32-554}
%{S-1-5-2}
%{S-1-5-11}
%{S-1-5-15}
%{S-1-18-1}
%{S-1-5-21-88556453-236079572-1039276024-8380}
%{S-1-16-8448}
|
By LogViewPlus Support - 9 Dec 2023
Hi Tim,
That is an excellent point. Thanks for highlighting this. You are absolutely right that this information needs to be available as separate columns within LogViewPlus. This is not currently available and frankly I am not sure why - they should be there.
We have a new release of LogViewPlus coming out in the next few days. Once this release is complete, we will be giving Windows Event Logs a lot more attention. We think being able to analyse Windows Event Logs with the LogViewPlus SQL engine will be really powerful. We want to include prebuilt dashboards similar to our current Web Log and Java GC solutions (currently in BETA). A key step in that process will be adding some of the fields you highlighted above.
This Windows Event Log release should be out in January. If you have any suggests or ideas for what you would like to see when you open a Windows Event Log, please do let us know.
Thanks again,
Toby
|
By TimHum - 9 Dec 2023
Okay, thanks! And at least I'm not crazy. I did try to read the manual and look through this support forum before making my claim. I'm glad you confirmed I didn't miss anything obvious.
Honestly I don't yet have any suggestions other than the just making all the eventlog data fields available to us 
We're just now expanding our use of LogView beyond the primarily basic Syslogs and MTA Spam filter logs. We're now expanding our templates and parsers as we implement larger scale use across our team and applications.
I had never used the EVTX portion of LogView until a few weeks ago where we had to go through 6 months of Windows Security Audit logs due to a rogue Active Directory Administrator. Even with the missing EventID, LogView saved us a ton of time. It made short work of searching the millions of event log records so we could prove to management what this Admin did. Thank you
|
By LogViewPlus Support - 9 Dec 2023
> It made short work of searching the millions of event log records
Awesome! Glad to hear you are finding LogViewPlus helpful.
I will keep you posted about the next BETA release. I think there is a lot more that we could be doing to make Windows Event logs easier to understand.
|
|