2.16. Event Log

Some part of the Event Log WINAPI are not straightforward.

I have tried to offer some abstraction without completly hidding the some underlying subtilities (for now).

The current API may need some works to provide simpler/highter level API in the future.

The EvtlogManager instance is accessible via windows.system.event_log

For now, the best thing to do is look at the sample:

Note

See sample Event Log

Warning

This API have not been tested on real case yet and may be subject to changes.

2.16.1. EvtlogManager

class windows.winobject.event_log.EvtlogManager[source]

The main Evt class to open Evt channel/publisher and evtx file

__getitem__(name)[source]

Open the Evt Channel/Publisher or Evtx file with name

Return type:EvtChannel or EvtPublisher or EvtFile
is_implemented()[source]

Return True if the new Evt-API is implemented on the current computer

see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385784(v=vs.85).aspx

open_channel(name)[source]

Open the Evt channel with name

Return type:EvtChannel
open_evtx_file(filename)[source]

Open the evtx file with filename

Return type:EvtFile
open_publisher(name)[source]

Open the Evt publisher with name

Return type:EvtPublisher

2.16.2. Channel

2.16.2.1. EvtChannel

class windows.winobject.event_log.EvtChannel(name)[source]

An Event Log channel

config

The configuration of the channel

Type:ChannelConfig
events

The list of all events in the channels, an alias for channel.query().all()

Type:[EvtEvent] – A list of EvtEvent
get_event_metadata(id)[source]

Return the metadata for the event ID id

Return type:EventMetadata
query(filter=None, ids=None)[source]

Query the event with the ids or perform a query with the raw query filter

Both parameters are mutually exclusive.

Note

Here are some query examples

List all events with a event data attribute named ‘RuleName’:
Event/EventData/Data[@Name='RuleName']
List all events with a event data value of ‘C:\WINDOWS\System32\svchost.exe’:
Event/EventData[Data='C:\WINDOWS\System32\svchost.exe']
List all events with an EventID of 2006:
Event/System[EventID=2006]
List all event with a given EventID while searching for a specific field value (Sysmon for the test here)
Event/System[EventID=3] and Event/EventData/Data[@Name='DestinationIp'] and Event/EventData[Data='10.0.0.2']
Return type:EvtQuery

2.16.2.2. ChannelConfig

class windows.winobject.event_log.ChannelConfig(handle, name=None)[source]

The configuration of a event channel

classic

True if the channel is a classic event channel (for example the Application or System log)

classmethod from_channel_name(name)[source]

Return the ChannelConfig for the channel name

publisher

The EvtPublisher for the channel

publishers()[source]

TEST

value

current value

2.16.3. Publisher

2.16.3.1. EvtPublisher

class windows.winobject.event_log.EvtPublisher(name)[source]

An Event provider

metadata

Return the metadata for this publisher

Type:PublisherMetadata

2.16.3.2. PublisherMetadata

class windows.winobject.event_log.PublisherMetadata(handle, name=None)[source]

The metadata about an event provider

channel_name_by_id

The dict of channel defined by this provider by their id

Type:dict
channels

The list of EvtChannel defined by this provider

Type:[EvtChannel] – A list of EvtChannel
channels_metadata

The PublisherMetadataChannel for each channel this provider defines

Yield:PublisherMetadataChannel
chanrefs

Identifies the channels child element of the provider.

Type:PropertyArray
events_metadata

The EventMetadata for each event this provider defines

Yield:EventMetadata
classmethod from_publisher_name(name)[source]

The PublisherMetadata for the publisher name

guid

The GUID associated with this provider

Type:[GUID] – the GUID in a XXXXXXXXXX-YYYY-ZZZZ-TTTT-VVVVVVVVVV form
keywordrefs

The list of keywords defined by this provider

Type:PropertyArray
keywords_metadata

The PublisherMetadataKeyword for each opcode this provider defines

Yield:PublisherMetadataKeyword
levelrefs

Identifies the levels child element of the provider.

Type:PropertyArray
levels_metadata

The PublisherMetadataLevel for each level this provider defines

Yield:PublisherMetadataLevel
message(msgid)[source]

TODO

message_filepath
message_id
message_parameter_filepath
message_resource_filepath
opcoderefs

Identifies the opcodes child element of the provider.

Type:PropertyArray
opcodes_metadata

The PublisherMetadataOpcode for each opcode this provider defines

Yield:PublisherMetadataOpcode
taskrefs

The list of tasks defined by this provider

Type:PropertyArray
tasks_metadata

The PublisherMetadataTask for each opcode this provider defines

Yield:PublisherMetadataTask
value

current value

2.16.4. EvtFile

class windows.winobject.event_log.EvtFile(name)[source]

Represent an Evtx file

config

Not implemented for EvtFile

Raise:NotImplementedError
events

The list of all events in the channels, an alias for channel.query().all()

Type:[EvtEvent] – A list of EvtEvent
get_event_metadata(id)

Return the metadata for the event ID id

Return type:EventMetadata
query(filter=None, ids=None)

Query the event with the ids or perform a query with the raw query filter

Both parameters are mutually exclusive.

Note

Here are some query examples

List all events with a event data attribute named ‘RuleName’:
Event/EventData/Data[@Name='RuleName']
List all events with a event data value of ‘C:\WINDOWS\System32\svchost.exe’:
Event/EventData[Data='C:\WINDOWS\System32\svchost.exe']
List all events with an EventID of 2006:
Event/System[EventID=2006]
List all event with a given EventID while searching for a specific field value (Sysmon for the test here)
Event/System[EventID=3] and Event/EventData/Data[@Name='DestinationIp'] and Event/EventData[Data='10.0.0.2']
Return type:EvtQuery

2.16.5. Event

2.16.5.1. EvtEvent

class windows.winobject.event_log.EvtEvent(handle=0, channel=None)[source]

An Event log

computer

The computer that generated the event

data

A dict of EventData Name:Value for the current dict.

Type:dict
date

Event.time_created as a :class:datetime

event_values()[source]

The values of the event in a list

id

The ID of the Event

level

The level of the Event

metadata

The medata for the current Event

Type:EventMetadata
opcode

The opcode of the Event

pid

The process ID of the Event

provider

The provider of the event

tid

The process ID of the Event

time_created

The creation time of the Event

user

The User ID associated with the Event

value(name, **kwargs)[source]

Retrieve a value from the event. name is an XPath expressions that uniquely identify a node or attribute in the event. (see https://msdn.microsoft.com/en-us/library/windows/desktop/aa385352(v=vs.85).aspx)

version

The version of the Event

2.16.5.2. EventMetadata

class windows.winobject.event_log.EventMetadata[source]

The Metadata about a given Event type

see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa385517(v=vs.85).aspx

channel_id

The Channel attribute of the Event definition

event_data

The list of attribute specifique for this event. Retrieved by parsing EventMetadata.template

id

The ID of the Event

keyword

The keyword attribute of the Event definition

level

The level attribute of the Event definition

message_id

Identifies the message attribute of the event definition.

opcode

The opcode attribute of the Event definition

task

The task attribute of the Event definition

template

Identifies the template attribute of the event definition which is an XML string

value

current value

version

The version of the Event

2.16.5.3. EvtQuery

class windows.winobject.event_log.EvtQuery(handle=0, channel=None)[source]

Represent an Event-log query

all()[source]

Return a list with all the query results

Return type:[EvtEvent] – A list of Event
first()[source]

Return the first query result

Return type:EvtEvent – An Event
next()

Return the next EvtEvent matching the query

seek(position, seek_flags=None)[source]

Seek to position. seek_flags can be one of:

  • None
  • EvtSeekRelativeToFirst
  • EvtSeekRelativeToLast
  • EvtSeekRelativeToBookmark

If seek_flags is None:

  • position >= 0 will use EvtSeekRelativeToFirst
  • position < 0 will use EvtSeekRelativeToLast and with position+1
    • This allow retrieve the position lasts events
value

current value

2.16.6. TODO

class windows.winobject.event_log.PropertyArray[source]

TODO

value

current value