Online EVTX Parser And Viewer
We’re excited to announce our new EVTX parser and EVTX viewing capabilities are now freely available in Gigasheet! If you can use Excel, you can use Gigasheet to quickly view, search, and analyze Windows Event Log EVTX files online, and convert EVTX files to CSV. Gigasheet also scans your file for common IOCs (indicators of compromise) and the current threat intelligence to alert you to suspicious activity.
How To View EVTX Files
To view EVTX files, simply create a Gigasheet account (it’s free) and upload your EVTX file to Gigasheet. That’s it! After the files parses, click the file to view it in Gigasheet’s spreadsheet-like interface where you can sort, filter, search, pivot, and more. You can even combine multiple EVTX files, or join with other logs to create a super-timeline. It’s free to upload files (up to 10GB!), and it doesn’t require any software to be installed or configuration. When you’re ready, you can export filtered EVTX files to a CSV.
How to View EVTX in Excel
In its native XML format, Windows Event Log (i.e., EVTX files) are not easily viewable in Excel, but you can use the Event Viewer Console which is built into Windows. Why can't you open EVTX files in Excel? It's due to the hierarchical data structure of XML, with nested fields, and the convoluted format of EVTX files. In other words, EVTX files are not easily organized into rows and columns that software like Microsoft Excel expects. Windows Event Logs can be exported from Event Viewer as a CSV. It’s important to note that CSV export only extracts the major fields in the event logs, meaning much of the data is not easily analyzed. This also assumes that the CSV export is under the Excel max row limit of about 1M rows. If the file is large, it's unlikely the CSV can be imported into an Excel document.
Alternative and Open Source Options
If you're looking for software to run locally, there are a number of strong options available. We'll touch on the two popular options here, but a simple Google search turns up many others.
EVTX Explorer (EvtxEcmd) is a powerful open source tool written by SANS Instructor Eric Zimmerman. This Windows Event Log parser can parse a single event log file or a directory recursively. Using the command like you specify input options like a file or directory, and you can export data to CSV, JSON or XML. You can also specify specific Event IDs to include or exclude. EvtxEcmd can also be integrated with KAPE, an artifact collection tool.
Event Log Explorer is a fully featured commercial option, but it only runs on Windows operating systems. It's able to accesses Windows event logs and event log files from both local and remote servers. With this option you can view several EVTX files at one time. If you're not using it for personal use, you will need to purchase a license.
MS Log Parser is a command-line tool from Microsoft. They describe it as a "a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log." As you might expect, MS Log Parser only runs on the Windows operating system.
As with most alternatives, various tradeoffs suffer from a variety of limitations. Most only run on Windows due to dependencies on EVTX Parsing libraries or Powershell. So if you're on Mac or Linux, you're out of luck. Some open source options do support other operating systems, but typically they require you to download other libraries and/or change your environment variables, permissions, and configuration. All of these scripts or executables are intended to run on a your local machine. So if you're running other processes or have an underpowered system, be prepared for lackluster performance. Finally, many of these options are intended for analyzing a single file. It's often not easy to combine multiple EVTX outputs into a single file for larger scale analysis.
What Are EVTX Files Anyway?
The Windows Event Log (a.k.a., EVTX file) is an XML format which is used by Microsoft Windows to store system log information. The EVTX format replaced the Windows Event Log (EVT) format used in Windows XP. EVTX files are often an essential piece of evidence in incident response because they contain detailed clues about the actions taken, processes run, and changes to configurations on the host machine. Incident Responders can use Windows Event Logs to analyze account creation, deletion, login activity, system information, warnings and errors. Threat Hunters also use EVTX files to proactively identify suspicious activity (for example, check out this blog on Threat Hunting LOLBins). The fine folks over at the SANS Institute have written a number in-depth articles on the subject (also checkout this thread).
In most versions of the Windows operating system you can easily open an EVTX file in the Windows Event Log Viewer by double-clicking the EVTX. You can typically locate EVTX files in the C:\windows\system32\winevt\Logs directory. That said, the Windows Event Log Viewer is fairly simple, so it isn’t ideal for complex information security investigations where multiple forensic artifacts are involved, and queries or correlations are required.
Gigasheet EVTX Parsing
Gigasheet makes it easy for Incident Responders and Threat Hunters to analyze huge CSVs, convert JSON to CSV, analyze PCAPs, and now EVTX files. Large EVTX files aren’t easy to open in tools like Excel, not only because of the large volumes, but also because of the XML format. Typically analyzing these files requires a host of command line utilities, Python libraries or other scripts, each with their own dependencies, syntax, and operating system requirements. At Gigasheet we’re working to remove this complexity and provide security investigators tools that are fast, functional, and intuitive.