How To Convert EVTX to CSV
Information security practitioners are often looking for an easy way to open EVTX files in Excel. It turns out to be challenging, as we detail below. TLDR; Gigasheet makes it easy to convert EVTX files to CSV. Create your own free account here.
Windows uses EVTX, an xml-based log format for recording many events. This allows for very detailed structured logging and easy internationalization, but as always there’s a tradeoff--the system has extra complexity and reduced ease of use. We introduced EVTX parsing in Gigasheet here. This post shares a bit more about how EVTX files are converted to CSV, and how you can work with them in Gigasheet or even Excel.
For references to other CSV file conversions, check out:
There are five built-in logging channels that use the EVTX format:
* Security: This channel contains information about user events like logon attempts and resource management events like file creation or deletion. Windows admins can customize the level of detail and whether certain event types are logged or not.
* Application: This channel contains events logged by applications and programs installed on the system, rather than from the operating system itself. Individual application developers choose what to log.
* System: This channel contains events logged by Windows components. Many of these are driver or hardware related.
* Setup: This channel contains events specifically about installing or removing applications. It also includes events relating to Windows patches and updates.
* Forwarded Events: This channel can contain any of the above types that were recorded on another host and sent to this host.
In addition to these channels used by Windows itself, there is another group of Application and Services logs for application developers. These are intended for events or messages that only affect a specific application. Developers have a choice between logging in the shared system Application.log or creating their own application-specific logs under the Application and Services channel.
One of the weird things about EVTX files is that while we think of them as log files they don’t contain all the information needed to interpret an event by themselves. An event will contain a numeric Event ID with the actual message stored in a DLL and the mapping between them saved in the registry. For example we might see Event ID 4648 in our EVTX files--and that’s all we see! We first look at the registry to see what DLL has the messages:
Then we can pull the actual message, in this case Event ID 4648 is “a logon attempt using explicit credentials”. Windows includes a number of default mappings for events it records but you don’t _really_ know what actions an Event ID corresponds to without looking at that specific host!
What other tools handle EVTX files?
Microsoft provides a formal specification but that's rarely useful for day-to-day security practitioners. Instead, Windows provides a built-in EVTX event viewer. It's great for seeing detailed information for any specific event and includes a human-readable version of
various event codes.
The main downside of Windows Event Viewer is that it only shows us details about one event at a time, so it's not particularly useful when we want to search or examine lots of events. This is probably why so many practitioners are interested to view EVTX in Excel or CSV formats.
Another funny thing is that events can have custom data under the `EventData` part of log entry that uses the same names as built-in fields. For example, the `Event ID` we see in the above screenshot is `System/Event ID` in the raw xml, but it's possible for applications to overload this and add `EventData/Event ID` too! This makes writing parsers for EVTX and choosing information to highlight tricky.
If you prefer command line utilities Eric Zimmerman's tools include an EVTX utility called `EvtxEcmd` and F-Secure shares Chainsaw. Both provide a way to search through multiple EVTX files. In addition, `EvtxEcmd` includes a variety of mapping files that can help turn Event IDs into readable messages and Chainsaw has a built-in way of running against a set of Sigma rules. As command line utilities it’s pretty easy to call either `EvtxEcmd` or `Chainsaw` in a script, but they’re harder to pick up and use for exploratory work.
EVTX CSVs In Gigasheet
We considered a couple of options when adding EVTX support to Gigasheet. We could
write a parser ourselves or use an existing library. Writing something from scratch provides the most control (and is usually the most fun), but using an existing parser has one giant benefit--someone else put in the effort already. Between initial development, testing, and covering funny edge cases, it can be a lot of work to match an existing, well-supported library. We looked at several options like Velocidex's golang EVTX parser before settling on the awesome EVTX parsing library in Rust by Omer BenAmram (which also powers Chainsaw).
Gigasheet highlights a couple of important columns by showing them on the left and shortening the names. Other than that we show you raw, granular data which lets you use Gigasheet’s grouping and filtering to investigate what you need. For example, we can do things like group by Event ID, look at logon events, then filter for failures:
If you've tried EVTX files in Gigasheet and feel like there's something missing or that we should be emphasizing other fields please let us know at email@example.com!