search

omerbenamram / evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Apache License 2.0
646 stars 62 forks source link

InstanceID missing from logs #115

Open truekonrads opened 4 years ago

truekonrads commented 4 years ago

Evtx'es have a property "InstanceID" which is related to EventID:

InstanceID is not EventID, but can be:

The InstanceId property uniquely identifies an event entry for a configured event source. The InstanceId for an event log entry represents the full 32-bit resource identifier for the event in the message resource file for the event source. The EventID property equals the InstanceId with the top two bits masked off. Two event log entries from the same source can have matching EventID values, but have different InstanceId values due to differences in the top two bits of the resource identifier. If the application wrote the event entry using one of the WriteEntry methods, the InstanceId property matches the optional eventId parameter. If the application wrote the event using WriteEvent, the InstanceId property matches the resource identifier specified in the InstanceId of the instance parameter. If the application wrote the event using the Win32 API ReportEvent, the InstanceId property matches the resource identifier specified in the dwEventID parameter.

Taken from here: https://evotec.xyz/powershell-everything-you-wanted-to-know-about-event-logs/

I would very much like to have InstanceID read in. It isn't in the XML data; XML data contains EventID

I don't know enough about evtx structure to offer a patch.

Cross post with pyevtx-rs/issues/9

forensicmatt commented 4 years ago

I looked at this and see that the actually record's event id does no bit masking in this library:

https://github.com/omerbenamram/evtx/blob/master/src/evtx_record.rs#L50

Thus, this should maintain the instance id (as no bit mask is applied). Use the event record's event_record_id attribute rather than the serialized value. I believe the python bindings also preserves this value. Let me know if you find this is not the case.

While InstanceID is not documented in Metz' documentation of EVTX structure, this is the only other value from timestamp, size, and signature outside of the XML data: https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc#32-event-record