GrokEVT Frequently Asked Questions
Q. Why is Linux required?
A. This project is designed to give free operating systems access to Windows® log files. There are plenty of programs out there that can provide this functionality on Windows®. As for other free operating systems, we hope to add support for them. In the past the tool has worked successfully on FreeBSD as well. (Helping me test other platforms would be a great way to contribute to the project!)
Q. Why do you need access to the entire Windows® partition? Why not just convert the log files themselves?
A. Microsoft® decided to make their event logging extremely complicated. Logs are not stored in a normal format you would find on any *nix system. No, these logs are binary, and only contain reference IDs to message templates, which are contained in various DLLs. The DLLs used by a given service are configured in the registry, and those DLLs could be anywhere on any filesystem that Windows® has access to.
Q. Why not just distribute the message templates for all known DLLs, and not require users to properly mount/configure all of their Windows® partitions?
A. Distributing messages from these DLLs would violate copyright. In addition, since each Windows® system has different software installed, each will have a different set of DLLs. It is better to provide users with a script which can extract all messages from their own partitions, and then use those to convert their event logs.
Q. Do you have documentation on the file format(s) being parsed by GrokEVT?
A. Yes. The
doc/devel/ directory in the software distribution contains much of this information. As it is expanded, it will likely be posted online separately as well.
Q. Do you support .evtx log files used by newer (Vista and later) operating systems?
A.No, not yet. Support for this is planned, but lately development on GrokEVT has been slow. In the mean time, see Andreas Schuster's blog where you can obtain an Evtx Parser.
Content on this page, unless otherwise indicated, is © 2002-2015 Sentinel Chicken Networks.
Reproduction is authorized under our terms.