Hi Paul, Thanks for the suggestion. I'm the upstream developer. The issue with event logs of any format is that you can't produce human readable logs without a database of some kind. I think evtx files are even worse in this sense. One could try to ship a database with the software (which could have copyright issues), but this may produce inaccurate output. The gist of it is, an evt or evtx file is not the whole log. It doesn't contain all the information necessary to convert to a reasonable format. No easy way around that.
Finally, grokevt doesn't currently support evtx at all. It would be nice to add support, but I currently don't have the time to tackle it. (I will definitely consider any patches you wish to submit. =) For evtx, I recommend you take a look at Andreas Schuster's parser or Willi Ballenthin's python module. Good luck, tim On Sat, Apr 13, 2013 at 03:15:03PM +0800, Paul Wise wrote: > Package: grokevt > Version: 0.4.1-7 > Severity: wishlist > > grokevt-parselog requires a database, but I just received some > standalone .evtx files that I want to dump and I don't have access to > the Windows partition that they are from. It would be nice if grokevt > could parse standalone .evtx files. > > -- > bye, > pabs > > http://wiki.debian.org/PaulWise > _______________________________________________ > forensics-devel mailing list > forensics-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org