{"id":563,"date":"2022-10-05T16:01:54","date_gmt":"2022-10-05T16:01:54","guid":{"rendered":"https:\/\/eventlogxp.com\/blog\/?p=563"},"modified":"2022-10-05T16:01:54","modified_gmt":"2022-10-05T16:01:54","slug":"scripting-in-event-log-explorer","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/scripting-in-event-log-explorer\/","title":{"rendered":"Scripting in Event Log Explorer"},"content":{"rendered":"

Starting from version 5.1 Event Log Explorer comes with scripting support (scripting is implemented in the forensic and enterprise editions). Scrips help you automate many routine tasks and improve your performance.<\/p>\n

Scripting lets you can open logs, set filters, scan event views, remove specific events from a log view, export events and many more.<\/p>\n

The scripting language we use in Event Log Explorer is PascalScript (FastScript by FastReports). It is similar to Pascal language with some limitation. You can download our scripting reference at https:\/\/eventlogxp.com\/download\/elex_scripting.pdf<\/a><\/p>\n

Some sample scripts are available in folder “C:\\ProgramData\\Event Log Explorer\\Scripts\\Samples\\”.<\/p>\n

In this article we will write a script that merges security event log files located in one folder and displays only Audit Failure events.<\/p>\n

Let\u2019s start. First you need to start Event Log Explorer (Forensic or Enterprise edition) 5.2 or higher.<\/p>\n

From the main menu select Script -> Script Console. Now you can type your script.<\/p>\n

Consider that your log files are stored in C:\\LogList folder and security log file names start with ‘Sec’, e.g. ‘security-08-2022.evtx’.<\/p>\n

We have procedure GetFileList<\/strong> which returns list of files matching the specified mask. It copies the list into TStringList.<\/p>\n

To run this procedure, we have to create TStringList object first:<\/p>\n

var\r\n  FileList : TStringList;\r\nbegin\r\n  \/\/create object FileList of TStringList class\r\n  FileList := TStringList.Create;\r\n\r\n  \/\/ fill FileList with file names from C:\\LogList \r\n  \/\/ which start with 'sec' and have evtx file extension\r\n  GetFileList('C:\\LogList\\sec*.evtx', FileList);\r\n\r\n  \/\/ display the content of FileList in the debug console\r\n  DebugOut(FileList.Text);\r\n\r\n  \/\/ always free objects you created\r\n  FileList.Free;\r\nend.<\/pre>\n
Since you have a list of logs to merge, you can use function CreateLogFileMerger to open your files in a merger. This function is a method of TSApp class. When you start Event Log Explorer, it automatically creates an TheApp object which is a single instance of TSApp class (you cannot create TSApp instances manually).<\/p>\n
You can use TheApp properties and methods to manage Event Log Explorer application.<\/p>\n
CreateLogFileMerger creates an event log view contain events from all event log files in the list and returns a new TSLogView object associated with the log view.<\/p>\n
The first parameter of this function is FileNames of TStringList class. It is the same list we got by GetFileList function, but CreateLogFileMerger requires full path of file names. So, we need to add ‘C:\\LogList\\’ before every name in the list.<\/p>\n
Modifying the script as follows:<\/p>\n
var\r\n  FileList : TStringList;\r\n  i : Integer;<\/strong>\r\nbegin\r\n  \/\/create object FileList of TStringList class\r\n  FileList := TStringList.Create;\r\n\r\n  \/\/ fill FileList with file names from C:\\LogList \r\n  \/\/ which start with 'sec' and have evtx file extension\r\n  GetFileList('C:\\LogList\\sec*.evtx', FileList);\r\n\r\n  \/\/ Converting every name to full path name<\/strong>\r\n  for i := 0 to FileList.Count-1 do<\/strong>\r\n \u00a0\u00a0 FileList[i] := 'C:\\LogList\\'+FileList[i];<\/strong>\r\n\r\n  \/\/ display the content of FileList in the debug console\r\n  DebugOut(FileList.Text);\r\n\r\n  \/\/ always free objects you created\r\n  FileList.Free;\r\nend.<\/pre>\n
It’s time to create the merger. Add Merger declaration:<\/p>\n
var\r\n  Merger : TSLogView;<\/pre>\n
and Merger creation before FileList.Free:<\/p>\n
Merger := TheApp.CreateLogFileMerger(FileList, True);<\/pre>\n
The second parameter of CreateLogFileMerger \u00a0defines if the script waits until all the logs are loaded or not. Since we want to filter the merger, we should wait.<\/p>\n
To filter the log view, we can access the EventFilter property of the TSLogView and call EventFilterApply method to apply the filter:<\/p>\n
\/\/ Clear current filter first\r\n\r\nMerger.EventFilter.Clear;\r\n\r\n\/\/ Set filter to display Audit Failure events only\r\n\r\nMerger.EventFilter.EVT_AUDIT_FAILURE := True;\r\n\r\n\/\/ Apply the filter\r\n\r\nMerger.EventFilterApply;<\/pre>\n
The final script:<\/p>\n
var\r\n  Merger : TSLogView;\r\n  FileList : TStringList;\r\n  i : Integer;\r\nbegin\r\n  FileList := TStringList.Create;\r\n  GetFileList('C:\\LogList\\sec*.evtx', FileList);\r\n  for i := 0 to FileList.Count-1 do\r\n \u00a0\u00a0 FileList[i] := 'C:\\LogList\\'+FileList[i];\r\n  Merger := TheApp.CreateLogFileMerger(FileList, True);\r\n  FileList.Free;\r\n  Merger.EventFilter.Clear;\r\n  Merger.EventFilter.EVT_AUDIT_FAILURE := True;\r\n  Merger.EventFilterApply;\r\nend.<\/pre>\n
That’s all. As you can see, Event Log Explorer provides powerful, but not hard to use scripting mechanism to automate your tasks. Download Event Log Explorer (Forensic or Enterprise Edition)<\/a> and write your own event log scripts!<\/p>\n\"Facebook\"<\/a>\"twitter\"<\/a>\"reddit\"<\/a>\"pinterest\"<\/a>\"linkedin\"<\/a>\"mail\"<\/a>","protected":false},"excerpt":{"rendered":"
Starting from version 5.1 Event Log Explorer comes with scripting support (scripting is implemented in the forensic and enterprise editions). Scrips help you automate many routine tasks and improve your performance. Scripting lets you can open logs, set filters, scan event views, remove specific events from a log view, export events and many more. The scripting language we use in Event Log Explorer is PascalScript\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":565,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[83],"tags":[84],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/563"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=563"}],"version-history":[{"count":2,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/563\/revisions"}],"predecessor-version":[{"id":566,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/563\/revisions\/566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/565"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}