Custom columns allow you to add your own columns to the event list.
This feature is mostly helpful for Security event logs when you need to display some information from the event description, e.g. Account name, User logon name, file name, process name etc.
To display Custom column dialog box, select View->Custom Columns from the main menu of the program or right click on a column title in the event list and then select Custom Columns.
Just click on Colmn# (# is a column number) in the top of the dialog to add a specific column.
Load preset fills the column from a saved preset.
Column title. Input the display name of the column.
Event source, Event ID(s). Input source name and Event IDs for which custom column will be calculated. If you leave these fields empty, Event Log Explorer will try to calculate custom column for each event.
Value. Input how Event Log Explorer will calculate value of the custom column. Value Helper helps you to select the right value from the list of available values.
You should use column identified from the event XML representation.
Let's take an event sample:
To get fields under the System node, just use the key name in the curly brackets {}. E.g. to get Keywords, just use {Keywords}. To get values of the keys with attributes, add the attribute name in the square brackets []. E.g. to get ProcessID, use {Execution[ProcessID]}.
To get fields under EventData or UserData nodes, use {DATA[Index]} where Index is either a number of the value under EventData/UserData node or a value name under EventData node. E.g. to get ProcessName in the example below, use {DATA[8]} or {DATA[ProcessName]}.
You can get several parameters in one field. E.g. if you want to display user name as DOMAIN\ACCOUNT NAME, you should input the following Value:
{DATA[SubjectDomainName]}\{DATA[SubjectUserName]}
or
{DATA[3]}\{DATA[2]}
Formula (available in the Forensic or Enterprise editions of Event Log Explorer).
If checked, the value will be processed by the script engine. E.g. in the sample above, you the ProcessName specifies the full path to the process. If you want to see only file names in the event list, input the following Value:
ExtractFileName('{DATA[ProcessName]}')
This process works in 2 steps:
1. It resolves values in the curly braces, resulting in:
ExtractFileName('C:\Windows\Explorer.exe')
2. This line is then processed in the script engine.
The function ExtractFileName is defined as:
function ExtractFileName(FileName : String) : String;
It extracts the name of the parameter passed to this function. So it will return 'Explorer.exe'.
If you need a more complex script, define your own functions in file
"\ProgramData\Event Log Explorer\Scripts\cfformulas.pas" and use them.
Refer to 'Scripting Reference' for more information about scripts.
Be aware that processing processing scripts is time-consuming, so calculating the custom columns with formulas may take long time for large logs.
Treat value as defines the type of the custom column value:
-
Text - returns the value as is. Always use it when the result is a text-based or the value type is uncertain.
-
Integer - Interprets the value as an integer. If the value cannot be converted to an integer, an empty value will be displayed.
-
Float - Interprets the value as a floating-point number. If the value cannot be converted to a float, an empty value will be displayed.
-
Date & Time - Interprets the value as a date & time value in the ISO 8601 format (e.g., yyyy-mm-ddThh:mm:ss.sssZ). While not all ISO 8601 variations are supported (e.g., 20240101), using a space instead of the 'T' delimiter (e.g., 2024-01-01 10:10:10) is allowed. Event Log Explorer displays such dates in the default date & time format. If the value cannot be converted to date & time, an empty value will be shown.
Test - calculates the custom column value for the current event and displays it.
You can also use a legacy custom column format from Event Log Explorer 4.x that based on event descriptions.
E.g., if you have an event description:
Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege
To display Account Name in a custom column, use {Subject\Account Name}.