LogViewPlus Support » LogViewPlus Support » Help & Support » EVTX Windows Event Logs

EVTX Windows Event Logs

TimHum — Sat, 09 Dec 2023 17:52:00 GMT

Perhaps I'm missing it, but when I open EVTX logs, I don't seem to be able to find important information such as the EventID

We'd like to use LogViewPlus to review Windows Event Logs but we must have access to things like the Event ID. Here is an example with a few system names redacted)

It seems that items in the System section that I changed to red are only partially visible in LogView Plus. Missing are EventID, Task, EventRecordID etc.

Windows Event Viewer
- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}

EventID 4627

Version 0

Level 0

Task 12554

Opcode 0

Keywords 0x8020000000000000

- TimeCreated

[ SystemTime] 2023-07-27T08:57:11.7157887Z

EventRecordID 1258569507

Correlation

- Execution

[ ProcessID] 796
[ ThreadID] 4624

Channel Security

Computer <REDACTED>

Security

- EventData

SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-5-21-88556453-236079572-1039276024-9947
TargetUserName LUS14$
TargetDomainName <REDACTED>
TargetLogonId 0x185ebff4
LogonType 3
EventIdx 1
EventCountTotal 1
GroupMembership %{S-1-5-21-88556453-236079572-1039276024-515} %{S-1-1-0} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-5-21-88556453-236079572-1039276024-8380} %{S-1-16-8448}

Here it is within LogViewPlus

2023-07-27T04:57:11 Information [<Redacted>Security.Microsoft-Windows-Security-Auditing] Group membership information.

Subject:
    Security ID:        S-1-0-0
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Type:            3

New Logon:
    Security ID:        S-1-5-21-88556453-236079572-1039276024-9947
    Account Name:        LUS14$
    Account Domain:       <REDACTED>
    Logon ID:        0x185EBFF4

Event in sequence:        1 of 1

Group Membership:
        %{S-1-5-21-88556453-236079572-1039276024-515}
        %{S-1-1-0}
        %{S-1-5-32-554}
        %{S-1-5-2}
        %{S-1-5-11}
        %{S-1-5-15}
        %{S-1-18-1}
        %{S-1-5-21-88556453-236079572-1039276024-8380}
        %{S-1-16-8448}

RE: EVTX Windows Event Logs

LogViewPlus Support — Sat, 09 Dec 2023 17:52:00 GMT

> It made short work of searching the millions of event log records

Awesome! Glad to hear you are finding LogViewPlus helpful. :)

I will keep you posted about the next BETA release. I think there is a lot more that we could be doing to make Windows Event logs easier to understand.

RE: EVTX Windows Event Logs

TimHum — Sat, 09 Dec 2023 16:03:29 GMT

Okay, thanks! And at least I'm not crazy. I did try to read the manual and look through this support forum before making my claim. I'm glad you confirmed I didn't miss anything obvious.

Honestly I don't yet have any suggestions other than the just making all the eventlog data fields available to us :)

We're just now expanding our use of LogView beyond the primarily basic Syslogs and MTA Spam filter logs. We're now expanding our templates and parsers as we implement larger scale use across our team and applications.

I had never used the EVTX portion of LogView until a few weeks ago where we had to go through 6 months of Windows Security Audit logs due to a rogue Active Directory Administrator. Even with the missing EventID, LogView saved us a ton of time. It made short work of searching the millions of event log records so we could prove to management what this Admin did. Thank you

RE: EVTX Windows Event Logs

LogViewPlus Support — Sat, 09 Dec 2023 11:14:38 GMT

Hi Tim,

That is an excellent point. Thanks for highlighting this. You are absolutely right that this information needs to be available as separate columns within LogViewPlus. This is not currently available and frankly I am not sure why - they should be there.

We have a new release of LogViewPlus coming out in the next few days. Once this release is complete, we will be giving Windows Event Logs a lot more attention. We think being able to analyse Windows Event Logs with the LogViewPlus SQL engine will be really powerful. We want to include prebuilt dashboards similar to our current Web Log and Java GC solutions (currently in BETA). A key step in that process will be adding some of the fields you highlighted above.

This Windows Event Log release should be out in January. If you have any suggests or ideas for what you would like to see when you open a Windows Event Log, please do let us know.

Thanks again,

Toby