Event Log EVTX Files

Overview

Evidence: Event Log EVTX Files Description: Collect Event Log EVTX Files Category: System Platform: Windows Short Name: evtxfiles Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows EVTX logs store structured event records across system, security, application, and other channels. They are critical for investigating security incidents and operational issues.

Data Collected

This collector gathers structured data about EVTX files and their channels.

EVTX Files Data

Field

Description

Example

ID

Primary key (auto-increment)

Channel

Event log channel

Security

ProviderName

Event provider name

Microsoft-Windows-Security-Auditing

EventCount

Total events in file

12000

FilePath

EVTX file path

C:\Windows\System32\winevt\Logs\Security.evtx

Collection Method

This collector parses the necessary data from the event_logs table and collects files from:

C:\\Windows\\System32\\winevt\\Logs\\

Usage

Analyze authentication events, process creation, and other telemetry to detect attacks and reconstruct timelines.

Notes

Large channels may be rotated; ensure all fragments are analyzed.

PreviousEvent Log EVT Records NextEventTranscript DB

Last updated 2 days ago

Was this helpful?