Custom EVTX Logs
SUMMARY
This lays out how to create a subscription (both source and collector initiated) that collects selected forwarded .evtx
event logs from a workstation to a domain controller.
ENVIRONMENT
APPLICATIONS/TOOLS USED
Windows SDK (Development Kit):
ecmangen.exe
mc.exe (Message Compiler)
rc.exe (Resource Compiler)
csc.exe (C# Compiler)
wevtutil
ecmangen.exe was removed from the Windows 10 SDK starting from 10.0.16299.15
Parallel installations of Windows SDK are allowed.
In this case, Windows 10 SDK (10.0.14393.795) was installed alongside the latest SDK version.
csc.exe is included in the Microsoft .NET Framework.
.NET Framework is native to Windows Operating Systems.
The Framework's version depends on the OS installed.
wevtutil is a command native to the Command Prompt
PROCEDURE
1. Create a manifest file
Open ecmangen.exe
:
Create a new provider:
On the left panel, right click on
Events Section
then select New -> Provider.Fill up the following fields:
On the right panel, click on Save
. Then, create a new template:
On the left panel, under
WEF-Events
, selectTemplates
.On the right panel, select
New Template
.Fill up the following fields:
Add
Field Attributes
:On the right panel, click
Save
.
Create channels (maximum of 8):
On the left panel, under
WEF-Events
, selectChannels
.On the right panel, select
New Channel
.Fill up the following fields:
On the right panel, click
Save
.
Create a new event:
On the left panel, under
WEF-Events
, selectEvents
.On the right panel, select
New Event
.Fill up the following fields:
On the right panel, click on
Save
.
Save the manifest file as "WEF_Events.man"
Avoid using the character, '
-
', in the filename.The generated C# file during compiling will face an error.
Resulting manifest file (XML formatted):
2. Compile the manifest file and generate relevant files (e.g. WEF-Events.dll)
Press Win
+ R
then enter cmd
and navigate to where WEF_Events.man
was saved. Then, enter the following commands:
1. mc.exe (Message Compiler)
The compiler generates the message resource files to which your application links.
Switches used:
File(s) generated after execution:
MSG00001.bin
WEF_Events.cs
WEF_Events.h
WEF_Events.rc
WEF_EventsTEMP.bin
2. rc.exe (Resource Compiler)
rc.exe
compiles an application's resources and could be used to build Windows-based applications.File(s) generated after execution:
WEF_Events.res
3. csc.exe (C# Compiler)
No output means the command was successfully executed
Switches used:
File(s) generated after execution -- WEF_Events.dll
3. Install the manifest file with the matching dll file:
Move both files to the
C:\Windows\System32
directory:Install the manifest file using
wevtutil
:
4. The created logs should appear under Applications and Services Logs
inside Event Viewer
Applications and Services Logs
inside Event ViewerThe logs generated could be used for created subscriptions.
Additional columns could be added/removed from the logs (e.g.
Log
,Computer
)
REFERENCES
Last updated