watch_evtx

Plugin

ArgDescriptionType
filenameA list of event log files to parse.list of string (required)
accessorThe accessor to use.string
messagedbA Message database from https://github.com/Velocidex/evtx-data.string

Description

Watch an EVTX file and stream events from it.

This is the Event plugin version of parse_evtx().

It often takes several seconds for events to be flushed to the event log and so this plugin’s event may be delayed. For some applications this results in a race condition with the event itself - for example, files mentioned in the event may already be removed by the time the event is triggered.

comments powered by Disqus