Starting from version 5.1 Event Log Explorer comes with scripting support (scripting is implemented in the forensic and enterprise editions). Scrips help you automate many routine tasks and improve your performance.
Scripting lets you can open logs, set filters, scan event views, remove specific events from a log view, export events and many more.
The scripting language we use in Event Log Explorer is PascalScript (FastScript by FastReports). It is similar to Pascal language with some limitation. You can download our scripting reference at https://eventlogxp.com/download/elex_scripting.pdf
Some sample scripts are available in folder “C:\ProgramData\Event Log Explorer\Scripts\Samples\”.
In this article we will write a script that merges security event log files located in one folder and displays only Audit Failure events.
Let’s start. First you need to start Event Log Explorer (Forensic or Enterprise edition) 5.2 or higher.
From the main menu select Script -> Script Console. Now you can type your script.
Consider that your log files are stored in C:\LogList folder and security log file names start with ‘Sec’, e.g. ‘security-08-2022.evtx’.
We have procedure GetFileList which returns list of files matching the specified mask. It copies the list into TStringList.
To run this procedure, we have to create TStringList object first:
var FileList : TStringList; begin //create object FileList of TStringList class FileList := TStringList.Create; // fill FileList with file names from C:\LogList // which start with 'sec' and have evtx file extension GetFileList('C:\LogList\sec*.evtx', FileList); // display the content of FileList in the debug console DebugOut(FileList.Text); // always free objects you created FileList.Free; end.
Since you have a list of logs to merge, you can use function CreateLogFileMerger to open your files in a merger. This function is a method of TSApp class. When you start Event Log Explorer, it automatically creates an TheApp object which is a single instance of TSApp class (you cannot create TSApp instances manually).
You can use TheApp properties and methods to manage Event Log Explorer application.
CreateLogFileMerger creates an event log view contain events from all event log files in the list and returns a new TSLogView object associated with the log view.
The first parameter of this function is FileNames of TStringList class. It is the same list we got by GetFileList function, but CreateLogFileMerger requires full path of file names. So, we need to add ‘C:\LogList\’ before every name in the list.
Modifying the script as follows:
var FileList : TStringList; i : Integer; begin //create object FileList of TStringList class FileList := TStringList.Create; // fill FileList with file names from C:\LogList // which start with 'sec' and have evtx file extension GetFileList('C:\LogList\sec*.evtx', FileList); // Converting every name to full path name for i := 0 to FileList.Count-1 do FileList[i] := 'C:\LogList\'+FileList[i]; // display the content of FileList in the debug console DebugOut(FileList.Text); // always free objects you created FileList.Free; end.
It’s time to create the merger. Add Merger declaration:
var Merger : TSLogView;
and Merger creation before FileList.Free:
Merger := TheApp.CreateLogFileMerger(FileList, True);
The second parameter of CreateLogFileMerger defines if the script waits until all the logs are loaded or not. Since we want to filter the merger, we should wait.
To filter the log view, we can access the EventFilter property of the TSLogView and call EventFilterApply method to apply the filter:
// Clear current filter first Merger.EventFilter.Clear; // Set filter to display Audit Failure events only Merger.EventFilter.EVT_AUDIT_FAILURE := True; // Apply the filter Merger.EventFilterApply;
The final script:
var Merger : TSLogView; FileList : TStringList; i : Integer; begin FileList := TStringList.Create; GetFileList('C:\LogList\sec*.evtx', FileList); for i := 0 to FileList.Count-1 do FileList[i] := 'C:\LogList\'+FileList[i]; Merger := TheApp.CreateLogFileMerger(FileList, True); FileList.Free; Merger.EventFilter.Clear; Merger.EventFilter.EVT_AUDIT_FAILURE := True; Merger.EventFilterApply; end.
That’s all. As you can see, Event Log Explorer provides powerful, but not hard to use scripting mechanism to automate your tasks. Download Event Log Explorer (Forensic or Enterprise Edition) and write your own event log scripts!