Author Archives: Michael Karsyan

Extra power of custom columns

Approximately 10 years ago, we introduced custom columns in Event Log Explorer. This feature allows users to extract event details from the event description or event XML. Custom columns have significantly enhanced our customers’ ability to get more information from events, and we have continuously improved it across different versions. Previously, Event Log Explorer treated custom column values as text, which sometimes was insufficient for in-depth analysis. For example, in my article about tracking printer usage, it was impossible to sort events by the number of pages.

Since version 5.5, Event Log Explorer allows users to specify the type of custom values.

Let’s take the same printer usage problem and solve it using this new power.

Make sure that logging of Microsoft-Windows-PrintService/Operational log is enabled on your print server and open it.
Set filter to Event ID = 307
Optionally hide unnecessary columns like Type, Event Id, Source, Category, User
Set custom columns as follows:
Column 1:
Column title: Printer user
Value: {DATA[3]}
Treat value as : Text
Column 2:
Column title: Printer
Value: {DATA[5]}
Treat value as: Text
Column 3:
Column title: Pages
Value: {DATA[8]}
Treat value as: Integer

As seen, you only need to set “Treat value as” to Integer for the last custom column. This will display events like the previous versions displayed, but now the Pages column is shown as an integer column.

This means that you can now sort by this column from lowest to highest value (or vice versa), not just alphabetically. You can also filter by this value (e.g., greater than or less than).

Furthermore, you can now create a summary table and calculate the total number of pages by every user. To do so, you will need to generate a new analytical report.

Select Advanced->Analytical reports from the main menu.

Then select Field List and move “Printer user” to the left area.

Select Field List again and move Pages to the central area.

Next, move Measures (1) into the top area.

This will create a summary table that looks like this:

Note that Event Log Explorer automatically calculates the sum of pages for each user because Sum is the default aggregative function for integer fields. However, you can change it to any other aggregative function if needed. For instance, if you want to get the average number of pages every user prints at once, expand Measures (1), right-click on Pages, select Properties, and in the Measure Editor dialog, change Sum to Average, then click OK.

As you can see, custom columns now offer enhanced capabilities for analyzing Windows event logs.

Get the latest version of Event Log Explorer to leverage the full potential of custom columns right away!

Scripting in Event Log Explorer

Starting from version 5.1 Event Log Explorer comes with scripting support (scripting is implemented in the forensic and enterprise editions). Scrips help you automate many routine tasks and improve your performance.

Scripting lets you can open logs, set filters, scan event views, remove specific events from a log view, export events and many more.

The scripting language we use in Event Log Explorer is PascalScript (FastScript by FastReports). It is similar to Pascal language with some limitation. You can download our scripting reference at https://eventlogxp.com/download/elex_scripting.pdf

Some sample scripts are available in folder “C:\ProgramData\Event Log Explorer\Scripts\Samples\”.

In this article we will write a script that merges security event log files located in one folder and displays only Audit Failure events.

Let’s start. First you need to start Event Log Explorer (Forensic or Enterprise edition) 5.2 or higher.

From the main menu select Script -> Script Console. Now you can type your script.

Consider that your log files are stored in C:\LogList folder and security log file names start with ‘Sec’, e.g. ‘security-08-2022.evtx’.

We have procedure GetFileList which returns list of files matching the specified mask. It copies the list into TStringList.

To run this procedure, we have to create TStringList object first:

var
  FileList : TStringList;
begin
  //create object FileList of TStringList class
  FileList := TStringList.Create;

  // fill FileList with file names from C:\LogList 
  // which start with 'sec' and have evtx file extension
  GetFileList('C:\LogList\sec*.evtx', FileList);

  // display the content of FileList in the debug console
  DebugOut(FileList.Text);

  // always free objects you created
  FileList.Free;
end.

Since you have a list of logs to merge, you can use function CreateLogFileMerger to open your files in a merger. This function is a method of TSApp class. When you start Event Log Explorer, it automatically creates an TheApp object which is a single instance of TSApp class (you cannot create TSApp instances manually).

You can use TheApp properties and methods to manage Event Log Explorer application.

CreateLogFileMerger creates an event log view contain events from all event log files in the list and returns a new TSLogView object associated with the log view.

The first parameter of this function is FileNames of TStringList class. It is the same list we got by GetFileList function, but CreateLogFileMerger requires full path of file names. So, we need to add ‘C:\LogList\’ before every name in the list.

Modifying the script as follows:

var
  FileList : TStringList;
  i : Integer;
begin
  //create object FileList of TStringList class
  FileList := TStringList.Create;

  // fill FileList with file names from C:\LogList 
  // which start with 'sec' and have evtx file extension
  GetFileList('C:\LogList\sec*.evtx', FileList);

  // Converting every name to full path name
  for i := 0 to FileList.Count-1 do
    FileList[i] := 'C:\LogList\'+FileList[i];

  // display the content of FileList in the debug console
  DebugOut(FileList.Text);

  // always free objects you created
  FileList.Free;
end.

It’s time to create the merger. Add Merger declaration:

var
  Merger : TSLogView;

and Merger creation before FileList.Free:

Merger := TheApp.CreateLogFileMerger(FileList, True);

The second parameter of CreateLogFileMerger defines if the script waits until all the logs are loaded or not. Since we want to filter the merger, we should wait.

To filter the log view, we can access the EventFilter property of the TSLogView and call EventFilterApply method to apply the filter:

// Clear current filter first

Merger.EventFilter.Clear;

// Set filter to display Audit Failure events only

Merger.EventFilter.EVT_AUDIT_FAILURE := True;

// Apply the filter

Merger.EventFilterApply;

The final script:

var
  Merger : TSLogView;
  FileList : TStringList;
  i : Integer;
begin
  FileList := TStringList.Create;
  GetFileList('C:\LogList\sec*.evtx', FileList);
  for i := 0 to FileList.Count-1 do
    FileList[i] := 'C:\LogList\'+FileList[i];
  Merger := TheApp.CreateLogFileMerger(FileList, True);
  FileList.Free;
  Merger.EventFilter.Clear;
  Merger.EventFilter.EVT_AUDIT_FAILURE := True;
  Merger.EventFilterApply;
end.

That’s all. As you can see, Event Log Explorer provides powerful, but not hard to use scripting mechanism to automate your tasks. Download Event Log Explorer (Forensic or Enterprise Edition) and write your own event log scripts!

Event Log Explorer Forensic Edition – Snapshots

Taking snapshots is one of the great new features in the Forensic Edition. Whenever you need to save a set of events for future analysis, you can take a snapshot and then load it without access to the original log or log file. Snapshots are like event log backups, but there are some differences.

While backups work with the entire event log (or in some cases with event logs, filtered by an XML query), you can take a snapshot from a log view or even from separate events. Backing up from remote computers could be painful because it’s linked with extra administration tasks like sharing resources and granting permissions. Unlike backups, you can take snapshots much easy. It’s just like event export, but you can load the snapshot and work with it as you work with an event log file. Also, you can optionally save the current time zone and custom fields into the snapshot. Note that the snapshots contain the rendered descriptions and task category name. You don’t need to have specific components (dll or exe files) on your computer to display the text correctly.

Some situations when snapshots may help you:

You connected to a remote computer, opened an event log and want to save it locally.
You opened a large log file, filtered events and you want to continue working with these events only. It is always easier to work with smaller files — filtering and sorting operations are faster.
You opened an event log and have concerns about some events. You can bookmark these events and save them as a snapshot. Then you can send this snapshot to another person for research.
You merged different logs from different computers in one log view and want to save it as one file for further exploring.

It is very easy to take and load snapshots with Event Log Explorer.

To take snapshot from the active log view, select Forensics->Take snapshot from the main menu and click OK button.

To load snapshot, select Forensics->Load snapshot from the main menu.
That’s it

Download Event Log Explorer Forensic Edition and try to save your logs as snapshots.

Event Log Explorer Forensic Edition – working with damaged logs or disks

In this article, I will show how to work with damaged event log files. Event Log Explorer forensic edition can extract events from damaged files.

Let’s take a log file (e.g. a security log file) and open it with Event Log Explorer using File-> Open Log File.

Event Log Explorer opens this file as it always does.

Now we will intentionally corrupt this log. I will modify several bytes (commonly, it’s enough to change only 1 bit) with any hex editor. It is not necessary that someone may damage an event log – it’s not easy, but such issues may occur because of technical defects like hardware failures, driver errors, etc.

Now if you try to open this event log file, Event Log Explorer will display zero events:

You can see a red sign near the navigation buttons. If you hover your mouse over this sign, you will see a message “The event log file is corrupted”.

A similar problem occurs if you open this log in Windows Event Viewer:

Event Viewer cannot open the event log or custom view. Verify Event Log service is running or query is too long. The event log file is corrupted (1500).

However, it’s still possible to read events from this log file!

Select Forensics->Forensic Open File and change File Access Method to Direct Access Method.

This feature will open your log file!

Note that in my case, it displays fewer events than it displayed for the original event log, but this is better than 0 events anyway.

Let’s make more changes to the log and fill the first 8K with random bytes.

If you try to open it using Direct method as before, Event Log Explorer will fail to open it. However, you can use Deep Scan option. Open Forensic->Deep Scan, select your file and press OK.

Event Log Explorer will scan your files for events.

You can use deep scan not only for event log files. You can scan disk images including virtual disks or even physical or logical disks.

Deep scan may help you to find more events even if you have undamaged event log files. E.g. if a log was cleared, you can still find cleared events on the disk if they were not overwritten.

Download Event Log Explorer Forensic Edition and try Deep scan and Direct file access options with your files!

Files in Event Log Explorer Forensic Edition. Searching for removed events

Although Standard Edition of Event Log Explorer works with event log files perfectly, you may need more functionality when analyzing damaged or intentionally modified event log files. I’m starting a series of articles about the advanced use of Event Log Explorer Forensic Edition with files.

Let’s imagine that you examine an event log with removed events. If you believe that it’s impossible to remove events from an event log, I will show how to do it.

I will remove logon events from Security event log as follows:

Start Windows Event Viewer.

Open a log file (I take Security.evtx from my old archive, but you can use it even with the live Security log).

Set Filter in Event Viewer to exclude events 4624 (of course you can set any filter you want).

Click “Save Filtered Log File As” and save it as EVTX file.

Voila, you have a new event log file with removed events. You can open it with Event Viewer or Event Log Explorer and don’t even expect that it’s not an authentic event log. Of course, a real malefactor should replace a live event log with the forged one, but it’s not an impossible task. If s/he has a physical access to the computer, it’s possible to replace C:\Windows\System32\WinEvt\Logs\Security.evtx by loading the computer in recovery console. It’ much harder to forge the log remotely, but still possible by exploiting system vulnerabilities (e.g “Vault 7” hacking tool set lets you exploit such vulnerabilities and remove events).

And how can we detect if the examined event log file misses events? We discovered that Event Viewer (more accurately Event Log API) just copies the events into a new file as is. So, all events in the new log file will have the same record number as they had in the original event log. If we scan all the events, we can easily detect missed record numbers.

This functionality is implemented in Event Log Explorer Forensic Edition. Select Forensics from the main menu, click Forensic Open File, add your files by clicking Add button and enable option “Check log files for deleted events”. You will have the list of potentially deleted events.

You may be wondering if it is possible to forge an event log in such a way that it will fix the record numbers making it indistinguishable from non-edited log. It was easy for legacy evt logs, but very hard for the modern evtx event logs. I cannot state that it’s impossible, however I never seen any tools or a sample code that can do such tricks. That’s why I believe that Event Log Explorer can detect events deletion in event logs.

Download Event Log Explorer Forensic Edition and check if your log files have no deleted events!

Working with disk images in Forensic Edition

Now I will explain how Event Log Explorer works with disk images. If you have a disk image from an examined computer, you should mount it as a disk. If you have a real disk, you can just connect it to your PC.

Let’s consider that you already mounted a disk that contains Windows folder of the examined PC. Now you can create a virtual (“imaged”) computer in Event Log Explorer. Select Forensics->Add Imaged Computer from the main menu. Event Log Explorer will try to detect your disk, but you can input the path to Windows folder manually. You should also type a friendly name of this computer in the Tree and press Ok.

The computer will be added to the tree as a general computer, and you can use Event Log Explorer with this virtual computer exactly like you work with the real computers!

You may think that Event Log Explorer just opens files from \Windows\System32\winevt\Logs\, but it does much more. When you just open a foreign even log file, you can often see the description rendering issues (The description for Event ID (Event) from source (Source) cannot be found). These issues occur because the event log file doesn’t contain the description messages. Even descriptions are rendered based on the installed components, and if the required component is missing, you will see the “description not found” message.

Event Log Explorer tries to emulate the live system. It reads the registry files (\Windows\System32\config\SOFTWARE and \Windows\System32\config\SYSTEM), builds a log tree, detects the location of the required description components, and then reads log files and renders descriptions messages. From the user’s point of view, you are just working with the local event logs.

Download Event Log Explorer Forensic Edition to work with disk images the same way as you work with the live computers!

Event Log Explorer Forensic Edition

Recently we released a new edition of Event Log Explorer – Forensic Edition. Currently it has a beta version status – the final release will appear after we complete the documentation and add extra forensic features.

Here I will describe the difference between the standard and forensic editions.

The program keeps all features of the Standard Edition, and you commonly don’t need to use the Standard Edition if you have the Forensic one. Anyway, if you have a license key to Forensic Edition, you can use it with Standard Edition. However, if you have a license key to Standard Edition, it will work only with the current beta version of Forensic Edition but won’t work with the final release. You will be able to upgrade from Standard to Forensic by paying the price difference.

New program doesn’t require elevation when you run it. So, if you don’t have the admin rights, you can still run this program. The standard edition requires elevation to access the Security log and to manage event logs (e.g., clear them). Forensic users commonly work with log files, so it is not necessary to start it elevated. However, if you need to access the Security log, you may run it as Admin manually.

When you start the program, you can find the major difference between the editions in the user interface. There are two new menu items in the main menu: Forensics and Script.

Script lets you create and run your own scripts (written in Pascal script) which helps you to automate some operations or create complex filters. We will add scripting to the Enterprise Edition of Event Log Explorer as well.

Forensics menu opens access to the forensic features of the program.

Add imaged computer lets you create a virtual computer in the Objects tree and access its log files as “live” logs.

Forensic open file lets you open event log files using a “forensic” method. This includes opening files without Windows API and allows you to open damaged files.

Deep scan lets you scan an event log file, a disk image or even a whole disk for events. This lets you extract events from highly damaged log files or unmounted or damaged disk images.

Take and Load snapshot let you save your current event log view into a file for future analysis.

I will write several articles about each new forensic feature soon, but now you can download and try the new forensic edition yourself:

Download Event Log Explorer Forensic Edition right now to get access to new forensic features of the program.

Setting up Windows to read events from remote computers over a local network.

Reading event logs from remote computers is crucial for network audit. Both Event Log Explorer and Windows Event Viewer applications allow the system administrators to read event logs remotely. However sometimes (mainly in no Active Directory environment) sysadmins have problems with accessing remote event logs. In this article, I’ll explain how to setup Windows to make event logs accessible over a network.

As a rule, you don’t need to change anything on your client computer (the computer on which you run Event Log Explorer or Windows Event Viewer). All the changes should be done on the audited computer.

First, you need to set up the firewall.

Run Windows application: Windows Defender Firewall with Advanced Security.

Select Inbound rules for your profile

Enable the following inbound rules:

Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
Remove Event Monitor (RPC)
Remote Event Monitor (RPC-EPMAP)

Note that these settings are applied locally. If you run Active Directory and want to change these settings globally, you can do it in a similar way using Group Policy Management Editor.

Next, if you have a serverless network, you should check sharing and security model for local accounts. Open Local Security Policy, select Local Policies->Security Options in the left pane and make sure that the policy “Network access: Sharing and security model for local accounts” is set to Classic – local users authenticate as themselves.

Finally, you should grant permission to read event logs to your users. In no Active Directory environment, you can use Computer Management. In AD use Active Directory Users and Computers console.

Select the user under Local Users and Groups (or under your domain users). Double click on it to display Properties and select Member Of. Click Add and type Event Log Readers.

That’s all. If you modified Group Policy settings, you should apply your changes (e.g. by using gpupdate command).

Now you can start Event Log Explorer or Windows Event Viewer and open remote event logs.

Download Event Log Explorer right now and check the benefits it brings compared to Windows Event Viewer.

Case study – A new way to get regular reports about the problems.

Several years ago, I wrote an article about generating weekly reports about network issues. The main drawback of that method was the requirement to have Event Log Explorer running all the time (or at least running by the time when the scheduled task should be started). Since that time, we released new versions and editions of Event Log Explorer and now we can get the same result in a smarter way.

Let’s take the same task – getting reports about non-informational events in Application and System logs from different servers.

First, you need to install Event Log Explorer Enterprise Edition since Logexport utility is not available in Standard Edition.

After running Event Log Explorer, we should create a task which collects all non-informational events for the last 7 days. We can make this task from scratch, but we have template for this task (Admin events).

In the Objects tree browse for Task templates->Administrative and double click on Admin events.

Create task from template window will appear.

You can change the task name and task folder, but I will leave the default values.

Click Next and on Computer tab add your servers to the list

I will add only 2 servers, you can add any number of them.

You can optionally click Test connectivity button to check if the servers are accessible.

Click Next to proceed to the Logs page. Application and System logs are already in the list, but you can add extra logs. Click Next to proceed to the Filter page.

I will not change the filter setting taken from template, but you can modify them as you wish (e.g. change time interval to 1 day or exclude Waring events).

Click Next to review the column settings and then click Next again for the last step.

Now you should export your task into a file.

Consider that you have C:\Tasks folder for the task and exported documents, click Save button to save your task as “C:\Tasks\Admin Events.xml”.

Click Finish button – this will also create the task in the Objects tree.

Doubleclick on the task in the tree to review the events.

Open Command Prompt (or Windows Power Shell) and export task events to Excel

Type

"C:\Program Files (x86)\Event Log Explorer\logexport.exe" /TASK:"C:\Task\Admin Events.xml" /TARGET:EXCEL /TDIR:"C:\Tasks"

Open the Excel document in C:\Tasks folder and make sure that it’s correct.

Now we can schedule the task.

E.g. to start it every Monday at 7:00 AM type this command:

SCHTASKS /Create /TN "Event Log Explorer Tasks\TaskAdminEvents_Export"  /TR "'C:\Program Files (x86)\Event Log Explorer\logexport.exe' /FORMAT:Excel /Task:'C:\Tasks\Admin Events.xml' /TDir:'C:\Tasks'" /SC Weekly /D Mon /ST 08:00 /RU Michael /RP *********

That’s it, the task is scheduled to 8:00 every Monday. You can use Windows Task Scheduler to modify or verify the task.

It is important to specify the username and password using /RU and /RP parameters since the task should be started even if no user logged on your OC. Alternatively you can start the task under System account, but provide the credentials as command-line parameters for logexport.exe. In this case you can use the following command to create the task:

SCHTASKS /Create /TN "Event Log Explorer Tasks\TaskAdminEvents_Export"  /TR "'C:\Program Files (x86)\Event Log Explorer\logexport.exe' /FORMAT:Excel /Task:'C:\Tasks\Admin Events.xml' /TDir:'C:\Tasks' /User:FSPro\Michael /Password:**********" /SC Weekly /D Mon /ST 08:00 /RU System

Note that since you scheduled the task to start under the System account, you should run this command elevated (start Command Prompt or PowerShell as Admin).

Now you can run the task e.g. using Task Scheduler to make sure that it works correctly.

Download Event Log Explorer right now to build scheduled reports about problems in your network!

Event Log Explorer 5 beta 2

Recently we released a new beta of Event Log Explorer 5 and I will show you what features we added.

One of the great new features is a Task. The task defines what events will be picked, which computers from and how they will be displayed.

Example of a task: Display all warning, error and critical events from System and Application logs of VM2012 and SERV1 servers for the last day.

Let’s create it. To create this task, select Tree->Create Task from the main menu.

Input the task name (Sample task) and optionally describe the task.

Press Next button.

Add names of the computers from which the application will query events. Note that if you don’t add computers, Event Log Explorer will query events from the local computer.

Press Next button.

Add event log names you want to get events from. We will query Application and System logs only.

Press Next.

Now we should create an event query. We can simply use UI to build the query or type the query manually in the box. In the most cases you should not type the event query manually. So we will just tick Warning, Error and Critical levels and enable option to get events for the last 1 day.

Press Next button.

Leave the columns configuration unchanged for this task and press Next.

The task is ready. Tick “Start task now” and press Finish.

The task is started and will be displayed in a view Sample Task.

Note that the task was also added to the Tree. So now you can run it from the tree anytime.

Predefined task templates

Event Log Explorer comes with a set of predefined task templates. These templates let your run standard administrative tasks without learning how to create them.

Let’s take my old article Exploring who logged on the system and try to realize it with help of a template.

In the Objects tree browse to Task Templates->Audit.

You will find Audit logons template.

Double click on this template – it will create a new task based on the template.

In this task just switch to Computers page, add the server name and press Finish button. A new task (Audit Logons) will appear in the tree. Double click on it to run it.

Voila! The event view displays not only logon events, but it also set up custom columns and displays custom columns – User name and Logon type.

Note that we are currently accepting your suggestions on what predefined templates we should add to the program. You can even create a template yourself. To create a template, just create a task, click Save button menu and select Save as template.

We look forward to your feedback and suggestions on the latest version of Event Log Explorer. You can download it at https://eventlogxp.com/download.php