Sign in to follow this  
Followers 0
dominique.vocat

Merge evtx files?

3 posts in this topic

Hi,

i am looking into reading and writing evtx files (Vista Win2008 Eventlog). Seems it is just XML but binary coded XML. Now i have found no usefull documentation on Binary XML and am pretty much stuck.

What i am looking for is to have a evtx file with some event log records in it and merge the event log records from a second evtx into the first one (to keep a number of messages in one file).

Has anyone had any success in doing one of the involved steps? Any pointers or ideas greatly aprechiated.

Regards

Share this post


Link to post
Share on other sites



Doesn't the answer found as first response from googling "evtx" get you somewhere?


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Doesn't the answer found as first response from googling "evtx" get you somewhere?

Oh i do export certain events via a taskscheduler task hooked on an event and use wevtutil to export a eventrecord into a evtx file. I would however like to conserve all extra information of the new format and merge on a server the messages i get into evtx files per machine. (as oposed to polling 2k machines that are roaming all the time like microsoft does, yuck).

No luck in merging however. There is a tool that merges .evt files but not evtx.

So... any help with binary xml or straight evtx is aprechiated :-).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0