Log Size

[tomrade]

Sorry if ive missed something, but is there a quick way to get the length of the evtx file ie the number of log records. I looked at looping over chunks/events to count, but didn't know if there was a simple/quick way.

[williballenthin]

i think you have to loop through the chunks and use the fields log_first_record_number and log_last_record_number to compute the total number of records in the log.

the header does contains metadata about the current/next log record numbers; however, this is different from total record count, because old events may have expired.

[tomrade]

Hey thanks for the quick response , will do that :)