Windows Event Log
General Information
Event
Any action/occurrence that can be identified by the system
Event Logging
Centralized logging for the OS and applications
Windows Event Log
The service that does the above for Windows
The main event log categories are:
System
Security
Application
Setup (AD events are logged here on DCs)
Forwarded (from other LAN hosts).
The main event log types are: Error -> Warning -> Information -> Success Audit (e.g. successful login) -> Failure Audit (e.g. failed login attempt). There are also 5 severity levels: Critical (1) -> Error (2) -> Warning (3) -> Information (4) -> Verbose (5).
The Windows Event log is handled by the EventLog services, which has the Windows Event Log display name and runs under svchost.exe. It starts automatically at system boot and has multiple dependencies. The logs are stored in c:\windows\system32\winevt\logs with the evtx extension.
Interaction
# Enumerating log sources (el -> enum logs)
wevtutil el
# Log-specific configuration information (gl -> get-log)
wevtutil gl <log-name>
# Log status information (gli -> get log info)
wevtutil gli <log-name>
# Querying the 5 most recent events (qe -> query-events)
wevtutil qe Security /c:5 /rd:true /f:text
# Exporting the log file (epl -> export-log)
wevtutil epl System c:\system_export.evtx# Listing all logs
Get-WinEvent -ListLog *
# Log-specific information
Get-WinEvent -ListLog <log-name>
# Querying the 5 most recent events
Get-WinEvent -LogName '<log-name>' -MaxEvents 5 | Select-Object -ExpandProperty Message
# Querying the 5 oldest events
Get-WinEvent -LogName '<log-name>' -MaxEvents 5 -Oldest | Select-Object -ExpandProperty Message
# Filtering events IDs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625'}
# Filtering based on severity
Get-WinEvent -FilterHashTable @{LogName='System';Level='1'} | Select-Object -ExpandProperty MessageLast updated