2.16. Event Log

Some part of the Event Log WINAPI are not straightforward.

I have tried to offer some abstraction without completly hidding the some underlying subtilities (for now).

The current API may need some works to provide simpler/highter level API in the future.

The EvtlogManager instance is accessible via windows.system.event_log

For now, the best thing to do is look at the sample:

Note

See sample Event Log

2.16.1. EvtlogManager

class windows.winobject.event_log.EvtlogManager[source]

The main Evt class to open Evt channel/publisher and evtx file

__getitem__(name)[source]

Open the Evt Channel/Publisher or Evtx file with name

Return type:

EvtChannel or EvtPublisher or EvtFile

is_implemented()[source]

Return True if the new Evt-API is implemented on the current computer

see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385784(v=vs.85).aspx

open_channel(name)[source]

Open the Evt channel with name

Return type:

EvtChannel

open_evtx_file(filename)[source]

Open the evtx file with filename

Return type:

EvtFile

open_publisher(name)[source]

Open the Evt publisher with name

Return type:

EvtPublisher

2.16.2. Channel

2.16.2.1. EvtChannel

class windows.winobject.event_log.EvtChannel(name)[source]

An Event Log channel

property config

The configuration of the channel

Type:

ChannelConfig

property events

The list of all events in the channels, an alias for channel.query().all()

Type:

[EvtEvent] – A list of EvtEvent

get_event_metadata(id)[source]

Return the metadata for the event ID id

Return type:

EventMetadata

query(filter=None, ids=None, timeout=None)[source]

Query the event with the ids or perform a query with the raw query filter

Both parameters are mutually exclusive.

Note

Here are some query examples

List all events with a event data attribute named ‘RuleName’:

Event/EventData/Data[@Name='RuleName']

List all events with a event data value of ‘C:\WINDOWS\System32\svchost.exe’:

Event/EventData[Data='C:\WINDOWS\System32\svchost.exe']

List all events with an EventID of 2006:

Event/System[EventID=2006]

List all event with a given EventID while searching for a specific field value (Sysmon for the test here)

Event/System[EventID=3] and Event/EventData/Data[@Name='DestinationIp'] and Event/EventData[Data='10.0.0.2']

List all events with a given provider of Microsoft-Windows-TaskScheduler:

Event/System/Provider[@Name='Microsoft-Windows-TaskScheduler']

Return type:

EvtQuery

2.16.2.2. ChannelConfig

class windows.winobject.event_log.ChannelConfig(handle, name=None)[source]

The configuration of a event channel

property classic

True if the channel is a classic event channel (for example the Application or System log)

classmethod from_channel_name(name)[source]

Return the ChannelConfig for the channel name

from_param()

Convert a Python object into a function call parameter.

property publisher

The EvtPublisher for the channel

publishers()[source]

The list of Publisher publishing on the channel. seems pertinent for Legacy channel like “System”

Type:

[EvtPublisher] - A list of EvtPublisher

value

current value

2.16.3. Publisher

2.16.3.1. EvtPublisher

class windows.winobject.event_log.EvtPublisher(name)[source]

An Event provider

property metadata

Return the metadata for this publisher

Type:

PublisherMetadata

2.16.3.2. PublisherMetadata

class windows.winobject.event_log.PublisherMetadata(handle, name=None)[source]

The metadata about an event provider

property channel_name_by_id

The dict of channel defined by this provider by their id

Type:

dict

property channels

The list of EvtChannel defined by this provider

Type:

[EvtChannel] – A list of EvtChannel

property channels_metadata

The PublisherMetadataChannel for each channel this provider defines

Yield:

PublisherMetadataChannel

property chanrefs

Identifies the channels child element of the provider.

Type:

PropertyArray

property events_metadata

The EventMetadata for each event this provider defines

Yield:

EventMetadata

from_param()

Convert a Python object into a function call parameter.

classmethod from_publisher_name(name)[source]

The PublisherMetadata for the publisher name

property guid

The GUID associated with this provider

Type:

[GUID] – the GUID in a XXXXXXXXXX-YYYY-ZZZZ-TTTT-VVVVVVVVVV form

property keywordrefs

The list of keywords defined by this provider

Type:

PropertyArray

property keywords_metadata

The PublisherMetadataKeyword for each opcode this provider defines

Yield:

PublisherMetadataKeyword

property levelrefs

Identifies the levels child element of the provider.

Type:

PropertyArray

property levels_metadata

The PublisherMetadataLevel for each level this provider defines

Yield:

PublisherMetadataLevel

message(msgid)[source]

TODO

property message_filepath
property message_id
property message_parameter_filepath
property message_resource_filepath
property opcoderefs

Identifies the opcodes child element of the provider.

Type:

PropertyArray

property opcodes_metadata

The PublisherMetadataOpcode for each opcode this provider defines

Yield:

PublisherMetadataOpcode

property taskrefs

The list of tasks defined by this provider

Type:

PropertyArray

property tasks_metadata

The PublisherMetadataTask for each opcode this provider defines

Yield:

PublisherMetadataTask

value

current value

2.16.4. EvtFile

class windows.winobject.event_log.EvtFile(name)[source]

Represent an Evtx file

property config

Not implemented for EvtFile

Raise:

NotImplementedError

property events

The list of all events in the channels, an alias for channel.query().all()

Type:

[EvtEvent] – A list of EvtEvent

get_event_metadata(id)

Return the metadata for the event ID id

Return type:

EventMetadata

query(filter=None, ids=None, timeout=None)

Query the event with the ids or perform a query with the raw query filter

Both parameters are mutually exclusive.

Note

Here are some query examples

List all events with a event data attribute named ‘RuleName’:

Event/EventData/Data[@Name='RuleName']

List all events with a event data value of ‘C:\WINDOWS\System32\svchost.exe’:

Event/EventData[Data='C:\WINDOWS\System32\svchost.exe']

List all events with an EventID of 2006:

Event/System[EventID=2006]

List all event with a given EventID while searching for a specific field value (Sysmon for the test here)

Event/System[EventID=3] and Event/EventData/Data[@Name='DestinationIp'] and Event/EventData[Data='10.0.0.2']

List all events with a given provider of Microsoft-Windows-TaskScheduler:

Event/System/Provider[@Name='Microsoft-Windows-TaskScheduler']

Return type:

EvtQuery

2.16.5. Event

2.16.5.1. EvtEvent

class windows.winobject.event_log.EvtEvent(handle=0, channel=None)[source]

An Event log

property computer

The computer that generated the event

property data

A dict of EventData Name:Value for the current dict.

Type:

dict

property date

Event.time_created as a :class:datetime

event_values()[source]

The values of the event in a list

from_param()

Convert a Python object into a function call parameter.

property id

The ID of the Event

property level

The level of the Event

property metadata

The medata for the current Event

Type:

EventMetadata

property opcode

The opcode of the Event

property pid

The process ID of the Event

property provider

The provider of the event

property tid

The process ID of the Event

property time_created

The creation time of the Event

property user

The User ID associated with the Event

value(name, **kwargs)[source]

Retrieve a value from the event. name is an XPath expressions that uniquely identify a node or attribute in the event. (see https://msdn.microsoft.com/en-us/library/windows/desktop/aa385352(v=vs.85).aspx)

property version

The version of the Event

2.16.5.2. EventMetadata

class windows.winobject.event_log.EventMetadata[source]

The Metadata about a given Event type

see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385517(v=vs.85).aspx

property channel_id

The Channel attribute of the Event definition

property event_data

The list of attribute specifique for this event. Retrieved by parsing EventMetadata.template

from_param()

Convert a Python object into a function call parameter.

property id

The ID of the Event

property keyword

The keyword attribute of the Event definition

property level

The level attribute of the Event definition

property message_id

Identifies the message attribute of the event definition.

property opcode

The opcode attribute of the Event definition

property task

The task attribute of the Event definition

property template

Identifies the template attribute of the event definition which is an XML string

value

current value

property version

The version of the Event

2.16.5.3. EvtQuery

class windows.winobject.event_log.EvtQuery(handle=0, channel=None, timeout=None)[source]

Represent an Event-log query

all()[source]

Return a list with all the query results

Return type:

[EvtEvent] – A list of Event

first()[source]

Return the first query result

Return type:

EvtEvent – An Event

from_param()

Convert a Python object into a function call parameter.

next()

Return the next EvtEvent matching the query

seek(position, seek_flags=None)[source]

Seek to position. seek_flags can be one of:

  • None

  • EvtSeekRelativeToFirst

  • EvtSeekRelativeToLast

  • EvtSeekRelativeToBookmark

If seek_flags is None:

  • position >= 0 will use EvtSeekRelativeToFirst

  • position < 0 will use EvtSeekRelativeToLast and with position+1

    • This allow retrieve the position lasts events

value

current value

2.16.6. TODO

class windows.winobject.event_log.PropertyArray[source]

TODO

from_param()

Convert a Python object into a function call parameter.

value

current value