Hi
I've started using logparser as per Ch7 of Harlan's 4/E publication, using syntax:
logparser -i:evt -o:csv -stats:OFF "Select RecordNumber,TO_UTCTIME(TimeGenerated),EventID,SourceName,ComputerName,SID,Strings from sourcefile"> targetfile
Seems that as soon as logparser hits an EventData field with multiple lines (not sure that's the right terminology!), the output gets severely disrupted. For example, EventData from Application.evxt (as viewed in Event Viewer) which looks like this:
Using configuration file: C:\ProgramData\VMware\vmnetnat.conf. IP address: 192.168.126.2 Subnet: 255.255.255.0 External IP address: 0.0.0.0 Device: vmnet8. MAC address: 00:50:56:E9:61:00. Ignoring host MAC address: 00:50:56:C0:00:08.
Is listed with the first part "Using configuration file: " in the same line as the rest of the data but then with this on subsequent lines:
C:\ProgramData\VMware\vmnetnat.conf.
IP address: 192.168.126.2
Subnet: 255.255.255.0
External IP address: 0.0.0.0
Device: vmnet8.
MAC address: 00:50:56:E9:61:00.
Ignoring host MAC address: 00:50:56:C0:00:08.
Another example, this time from Security.evtx:
- EventData
ProcessId 1704
UserSid S-1-5-19
UserName NT AUTHORITY\LOCAL SERVICE
ProviderKey {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}
ProviderName Microsoft Corporation
ChangeType %%16384
FilterKey {97DD9B3E-B170-4BBB-B96C-EBC65BFE04B1}
FilterName Boot Time Filter
FilterType %%16388
FilterId 171161
LayerKey {A3B42C97-9F04-4672-B87E-CEE9C483257F}
LayerName ALE Receive/Accept v6 Layer
LayerId 46
Weight 18446744073709551615
Conditions (text is indented) Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} Match value: Equal to Condition value: 0x3a Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b} Match value: Equal to Condition value: 0x0086 Condition ID: {6ec7f6c4-376b-45d7-9e9c-d337cedcd237} Match value: Equal to Condition value: 0x03 Condition ID: {89f990de-e798-4e6d-ab76-7c9558292e6f} Match value: Equal to Condition value: 0x00000083 Condition ID: {511166dc-7a8c-4aa7-b533-95ab59fb0340} Match value: Equal to Condition value: 0x0000000e Condition ID: {46ea1551-2255-492b-8019-aabeee349f40} Match value: Equal to Condition value: 0x00000003 Condition ID: {ab3033c9-c0e3-4759-937d-5758c65d4ae3} Match value: Equal to Condition value: 0x00000000
Action %%16390
CalloutKey {00000000-0000-0000-0000-000000000000}
CalloutName -
Is listed similarly with the data appearing neatly until this starts appearing on separate lines:
Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
Match value: Equal to
Condition value: 0x3a
Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
Match value: Equal to
Condition value: 0x0086
Condition ID: {6ec7f6c4-376b-45d7-9e9c-d337cedcd237}
Match value: Equal to
Condition value: 0x03
Condition ID: {89f990de-e798-4e6d-ab76-7c9558292e6f}
Match value: Equal to
Condition value: 0x00000083
Condition ID: {511166dc-7a8c-4aa7-b533-95ab59fb0340}
Match value: Equal to
Condition value: 0x0000000e
Condition ID: {46ea1551-2255-492b-8019-aabeee349f40}
Match value: Equal to
Condition value: 0x00000003
Condition ID: {ab3033c9-c0e3-4759-937d-5758c65d4ae3}
Match value: Equal to
Condition value: 0x00000000
|%%16390|{00000000-0000-0000-0000-000000000000}|-
I've not worked out yet what causes line breaks - seems to be relatively random but may not be? I'm hoping I'm not the first to come across this issue. I haven't been able to locate a solution, can anyone assist in resolving this? I'm afraid I don't have coding skills, I’ve tried using the TSV output option but it seems to come unstuck at the same point
Windows7 Enterprise SP1 - have tested with EVTX files from 32- and 64-bit in a corporate domain environment
Cheers
↧