1. You already have the raw Windows Event log copy out from the Server using Forensics tools.
Default Event Log Location:
Windows Server 2003 Operating System : %WinDir%\System32\Config
Windwos Server 2008, 2012 R2 Operating System : %WinDir%\System32\Winevt\Logs
2. Repair the Event log!
If the file was not properly closed, the four fields will not have been synched and the file status byte will be odd. When you attempt to open such a file with any viewer reliant upon the event log API, it will be reported as corrupt. This frequently occurs in forensics when you pull the plug or do a live acquisition. EnCase doesn't rely upon that API and will parse them without repair. If you wish to use them in a viewer reliant upon the event log API, you'll need to repair the header.
To repair the event log file, you simply need to copy the four fields from the floating footer into their corresponding location in the header and then set the file status byte to any even value. Save and you are done. It's really that simple. (http://www.stevebunting.org/udpd4n6/forensics/repaireventlogfile.htm)
Automated Windows Event Log Repair Tool:
http://www.cwflynt.com/logFixer
http://murphey.org/fixevt.html
3. Extracting the XML event log information from save Windows event log
Note: Please run the command line by line so that you can see what it does and the output result.
# Analyzing one event message from event log
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name. Here we assigned the value to "$Event" variable.
PS C:\Users\mimi> $Event = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624} -MaxEvents 1
# We then view the event properties.
PS C:\Users\mimi> $Event | Format-List *
# Now we can view the array of message body values, however the property names are missing.
PS C:\Users\mimi> $Event.Properties
# Now we convert the event to XML and assign the value to "$eventXML" variable.
PS C:\Users\mimi> $eventXML = [xml]$Event.ToXml()
# Walla...now we get all the XML information from the message.
PS C:\Users\mimi> $eventXML.Event.EventData.Data
# Later we have to index each data element to access it.
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].name
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].'#text'
-----------------------------------------------------------------------------------------
Full running code:
1. Change the "Path" location to your Windows Event Log and save below Powershell code as "Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1"
-----------BEGIN-----------
#Extract Security.evtx event id 4624 - Logon Activities
#------------------------------------------------------
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name.
$Events = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624}
# Assign the Output file to store the output result.
$OutputFile = "D:\Sample_Event_Log\Win7\Security_Evtx_Event_ID_4624_output.csv"
# Parse out the event message data
ForEach ($Event in $Events)
{
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
{
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
# View the results with your favorite output method
#$Events | Select-Object * | Out-GridView
$Events | Select-Object TimeCreated,MachineName,LogName,Id,SubjectLogonId,TargetUserName,TargetDomainName,WorkstationName,IpAddress,LogonType | Export-Csv $OutputFile -NoType
-----------END-----------
Run it
PS C:\Users\mimi> .\Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1
References:
https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors/
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
https://gallery.technet.microsoft.com/scriptcenter/Log-Parser-to-Identify-8aac36bd
