Search code examples
c#loggingevent-viewer

C# EventViewer Logs Parsing

I am in charge of parsing forwarded EventViewer (evt) logs (Windows 7?). To do this I am run a query using Log Parser 2.2 over the logs and pulling out specific EventIDs and writing these to a CSV file. However, I am considering using EventViewerReader to do this instead.

The query I am doing on these evt includes a "strings" column which outputs a bunch of junk usually of the format: SID|Username|Usergroup|... but it isn't consistent. What I want is a consistent way to get the username for these events and filter out the useless data. The problem is that I don't understand the format for the output. I am wondering if these events have a standard format or if this is a custom format from my work? The method I have right now basically looks for known usergroups and checks for potential usernames to the left of them (skipping "LOCALS SERVICE", "NETWORK SERVICE", "-", and some other keywords). My issue with this method is that I don't know all of the usergroups, and I can get false-positives on usernames.

Here are some of the EventID Codes I am looking at: https://www.ultimatewindowssecurity.com/securitylog/quickref/downloads/quickref.zip

4624    An account was successfully logged on
4625    An account failed to log on
4647    User initiated logoff
4648    A logon was attempted using explicit credentials
4800    The workstation was locked
4801    The workstation was unlocked
4802    The screen saver was invoked
4803    The screen saver was dismissed
Solution

  • I ended up looking closer at the evt files and saw they have a set XML schema. "Strings" isn't really an element, but a the concatonated values of EventData child Data elements. All I did was look at the schema for each EventID and found the depth of the username in each event type.

    I think it was strings[5] (TargetUserName) for logon/logoff, strings[0] for a couple others, and strings[1] for a couple more.

    <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">XXX-PC$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TargetUserSid">S-1-5-18</Data> 
  <Data Name="TargetUserName">SYSTEM</Data> 
  <Data Name="TargetDomainName">NT AUTHORITY</Data> 
  <Data Name="TargetLogonId">0x3e7</Data>
...
</EventData>