Another consultant emailed me a .evt file recently for review. Which is great, except I frequently go days now without sitting in front of a Windows workstation – or at least, not one that isn’t broken and in need of fixing. So, I needed to find a Windows Event Log viewer.
There isn’t currently one in the Debian or Ubuntu repositories, but I did find a free-as-in-beer tool at TZWorks, LLC which did the trick nicely. It’s currently available for download in Windows, Linux (i386), and Mac versions – I haven’t tested the Mac version, but the Windows and Linux versions both run fine and do the job well, both for the older .evt and the newer .evtx (Vista and up) formats.
Note: the Linux binary provided is currently 32-bit only, so if you’re running a 64-bit system you’ll either need to install ia32-libs (apt-get install ia32-libs on Debian or Ubuntu), or just run the Windows version under WINE.
EDIT, September 2014: you can’t tell from looking at the download page, but this app now costs $228 for a single copy of it. So, uh, keep moving if you want a reasonable tool to look at Event Viewer logs with, sorry. >=\
I’m a TSE and need to view .Evt files. Currently TZWorks, LLC has a 64-bit version available.
Upon downloading and chmod 771 the script, it fails to parse the files. They need to be converted to a different format, which is done by running 2 programs which may be available online:
aeshex.exe
fixevt.exe
After those are run, the .Evt files will be viewable using the tool from TZWorks, LLC
This is for older formats of the event files, I believe.
I’m a Linux-only person, so I’m unsure of these, but they have been recommended by a Windows technician.
evtx_view is not free-as-in-beer, either, at least any more. Tried running the Mac version and got a ‘License must be purchased’ error. It’s $228 per seat.
Wow. You’re right – same thing happened when I tried re-downloading the Linux 64-bit port. No warning at all anywhere on the site, either. Screw these guys.
I was in need for a way to browse Windows evtx Files today, found this blog entry, experienced the license thing on my Mac as well, and finally found http://www.williballenthin.com/evtx/ This is a Python library together with some useful scripts. It’s all but intuitive to browse Windows event files, but I’m at least able to read them on my Mac. And hey, it’s command line anyway, so some things can be scripted and automated 😉 For those who prefer Perl, there is a link in the article, pointing to a Perl library.
wolfgang
Thanks Wolfgang!