Output date range of evtx

omerbenamram / evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format

Apache License 2.0

636 stars 61 forks source link

Closed defensivedepth closed 3 years ago

defensivedepth commented 3 years ago

Looking for a way to quickly output the date range of a particular evtx ie:

Oldest log: 2/2/20 Newest log: 3/15/20

Something like what this cmdlet does:

Get-WinEvent -Path 'C:\workspace\Security.evtx' -MaxEvents 1 -oldest | Select-Object -Property TimeCreated

Any ideas?

omerbenamram commented 3 years ago

This can be done easily with jq/python.

cargo run -- -o jsonl samples/Application.evtx --separate-json-attributes | jq '.Event.System.TimeCreated_attributes.SystemTime' | sort | head -n 1

defensivedepth commented 3 years ago

Thanks!