A cross-platform parser for the Windows XML EventLog format

Features

• ? Implemented using 100% safe rust – and works on all platforms supported by rust (that have stdlib).
• ? Multi-threaded.
• ✨ Supports XML and JSON outputs, both being directly constructed from the token tree and independent of each other (no xml2json conversion is performed!)
• ⛏️ Supports some basic recovery of missing records/chunks!
• ? Python bindings are available as well at https://github.com/omerbenamram/pyevtx-rs (and at PyPi https://pypi.org/project/evtx/)

evtx_dump (Binary utility):

The main binary utility provided with this crate is evtx_dump, and it provides a quick way to convert .evtx files to different output formats.

Some examples

• evtx_dump <evtx_file> will dump the contents of evtx records as xml.
• evtx_dump -o json <evtx_file> will dump contents of evtx records as JSON.
• evtx_dump -f <output_file> -o json <input_file> will dump contents of evtx records as JSON to a given file.

evtx_dump can be combined with fd for convenient batch processing of files:

• fd -e evtx -x evtx_dump -o jsonl will scan a folder and dump all evtx files to a single jsonlines file.
• fd -e evtx -x evtx_dump -f “{.}.xml will create an xml file next to each evtx file, for all files in a folder recursively!
• If the source of the file needs to be added to json, xargs (or gxargs on mac) and jq can be used: fd -a -e evtx | xargs -I input sh -c “evtx_dump -o jsonl input | jq –arg path “input” ‘. + {path: \$path}'”

Note: by default, evtx_dump will try to utilize multithreading, this means that the records may be returned out of order.

To force single-threaded usage (which will also ensure order), -t 1 can be passed.

Download & Use

Copyright (c) 2019 Omer Ben-Amram