It’s helpful to know the date range that an event log spans, as that information lets you know whether or not you should expect the events from a particular time to be included in the event log, assuming the events you’re interested in are being audited. I’ve often used Harlan’s evtrpt.pl script (available on the WFA 2e DVD) to find, among other things, the date range that is covered by an EVT file. This has proven to be very helpful in identifying whether a particular event log covers the time frame of interest in an examination. However, to my knowledge, no such script exists for EVTX files.
I originally wrote a batch script for pulling the date range from EVTX files as an add-on to VSC Toolset, but I figured it would be helpful to have the ability to run it against the most current version of event logs (i.e. those not in volume shadow copies) as well. A couple of modifications to the VSC Toolset batch script made it ready for use on its own.
In writing the batch script, I decided to harness the power of Log Parser to get the job done. If you’re unfamiliar with Log Parser, it’s a great tool from Microsoft that allows you to interpret data files (event logs, for example) as SQL records and execute SQL queries against them to quickly pull out specific information. The command that I used to find the oldest event record (by TimeGenerated) in an event log is “logparser -i: EVT “SELECT TOP 1 TimeGenerated FROM %1 ORDER BY TimeGenerated ASC”. Walking through the command, I simply notify Log Parser that the input file is an event log and then specify the query that I want to execute against the file. The “%1” indicates the value passed into the batch file (G:filesSecurity.evtx, for example). The query instructs Log Parser to return the top value existing in the TimeGenerated field when that field is listed in ascending order. You should actually get the same results without “ORDER BY TimeGenerated ASC” since we’re only interested in the first entry of the event log.To find the newest event record by TimeGenerated, I simply had to sort the event log in reverse order by TimeGenerated. This can be done by changing the “ASC” in the previous command to “DESC”. I also gathered the oldest and newest records by TimeWritten to report in addition to the TimeGenerated values. The bulk of the code and work on my part in writing the batch file came from formatting the output for a very easy-to-read display. I won’t break down the code I used for that here, but it turned out to be a nice exercise in batch programming for me.
To use the script, download it here and copy the Log Parser executable and DLL into the same folder as the script (or vice versa). Note that you’ll have to install Log Parser from the MSI before the executable and DLL are available in the Program Files directory. Then execute the evtxdaterange.bat script from the command line, passing in the path to the extracted event log. For example, issuing “evtxdaterange k:filesSecurity.evtx” should give you output similar to that in the screenshot below.
If you’re interested in learning more about Log Parser, I would recommend taking a look at the Log Parser Toolkit book (however there are also many resources available online, such as this article by Chad Tilbury). If you’re interested in batch scripting, there are countless online references, including this one by Corey Harrell that goes over getting started with batch scripting.
VSC Toolset Update
I thought it would be helpful to quickly be able to determine the date range covered by an event log within a shadow copy, particularly if the most current version doesn’t go back far enough. So if you’re interested in finding which shadow copy contains the event log covering the date range of interest, you can simply run the EventLogDateRange command against all shadow copies to pinpoint which event logs you’ll want to parse. Event log parsing has also been incorporated in the latest update, via Log Parser. You can read about the other updates and download the latest version of VSC Toolset here.
I actually enjoyed reading through this posting.Many thanks.