Scripting in Event Log Explorer

By | October 5, 2022

Starting from version 5.1 Event Log Explorer comes with scripting support (scripting is implemented in the forensic and enterprise editions). Scrips help you automate many routine tasks and improve your performance.

Scripting lets you can open logs, set filters, scan event views, remove specific events from a log view, export events and many more.

The scripting language we use in Event Log Explorer is PascalScript (FastScript by FastReports). It is similar to Pascal language with some limitation. You can download our scripting reference at https://eventlogxp.com/download/elex_scripting.pdf

Some sample scripts are available in folder “C:\ProgramData\Event Log Explorer\Scripts\Samples\”.

In this article we will write a script that merges security event log files located in one folder and displays only Audit Failure events.

Let’s start. First you need to start Event Log Explorer (Forensic or Enterprise edition) 5.2 or higher.

From the main menu select Script -> Script Console. Now you can type your script.

Consider that your log files are stored in C:\LogList folder and security log file names start with ‘Sec’, e.g. ‘security-08-2022.evtx’.

We have procedure GetFileList which returns list of files matching the specified mask. It copies the list into TStringList.

To run this procedure, we have to create TStringList object first:

var
  FileList : TStringList;
begin
  //create object FileList of TStringList class
  FileList := TStringList.Create;

  // fill FileList with file names from C:\LogList 
  // which start with 'sec' and have evtx file extension
  GetFileList('C:\LogList\sec*.evtx', FileList);

  // display the content of FileList in the debug console
  DebugOut(FileList.Text);

  // always free objects you created
  FileList.Free;
end.

Since you have a list of logs to merge, you can use function CreateLogFileMerger to open your files in a merger. This function is a method of TSApp class. When you start Event Log Explorer, it automatically creates an TheApp object which is a single instance of TSApp class (you cannot create TSApp instances manually).

You can use TheApp properties and methods to manage Event Log Explorer application.

CreateLogFileMerger creates an event log view contain events from all event log files in the list and returns a new TSLogView object associated with the log view.

The first parameter of this function is FileNames of TStringList class. It is the same list we got by GetFileList function, but CreateLogFileMerger requires full path of file names. So, we need to add ‘C:\LogList\’ before every name in the list.

Modifying the script as follows:

var
  FileList : TStringList;
  i : Integer;
begin
  //create object FileList of TStringList class
  FileList := TStringList.Create;

  // fill FileList with file names from C:\LogList 
  // which start with 'sec' and have evtx file extension
  GetFileList('C:\LogList\sec*.evtx', FileList);

  // Converting every name to full path name
  for i := 0 to FileList.Count-1 do
    FileList[i] := 'C:\LogList\'+FileList[i];

  // display the content of FileList in the debug console
  DebugOut(FileList.Text);

  // always free objects you created
  FileList.Free;
end.

It’s time to create the merger. Add Merger declaration:

var
  Merger : TSLogView;

and Merger creation before FileList.Free:

Merger := TheApp.CreateLogFileMerger(FileList, True);

The second parameter of CreateLogFileMerger  defines if the script waits until all the logs are loaded or not. Since we want to filter the merger, we should wait.

To filter the log view, we can access the EventFilter property of the TSLogView and call EventFilterApply method to apply the filter:

// Clear current filter first

Merger.EventFilter.Clear;

// Set filter to display Audit Failure events only

Merger.EventFilter.EVT_AUDIT_FAILURE := True;

// Apply the filter

Merger.EventFilterApply;

The final script:

var
  Merger : TSLogView;
  FileList : TStringList;
  i : Integer;
begin
  FileList := TStringList.Create;
  GetFileList('C:\LogList\sec*.evtx', FileList);
  for i := 0 to FileList.Count-1 do
    FileList[i] := 'C:\LogList\'+FileList[i];
  Merger := TheApp.CreateLogFileMerger(FileList, True);
  FileList.Free;
  Merger.EventFilter.Clear;
  Merger.EventFilter.EVT_AUDIT_FAILURE := True;
  Merger.EventFilterApply;
end.

That’s all. As you can see, Event Log Explorer provides powerful, but not hard to use scripting mechanism to automate your tasks. Download Event Log Explorer (Forensic or Enterprise Edition) and write your own event log scripts!

Facebooktwitterredditpinterestlinkedinmail