Custom EVTX Logs
Last updated
Last updated
This lays out how to create a subscription (both source and collector initiated) that collects selected forwarded .evtx
event logs from a workstation to a domain controller.
WINDOWS
OS
BUILD NO.
REMARKS
WIN-BO2CT95INDP
Windows Server 2016 Standard
10.0.14393 Build 14393
Collector Machine
Windows SDK (Development Kit):
ecmangen.exe
mc.exe (Message Compiler)
rc.exe (Resource Compiler)
csc.exe (C# Compiler)
wevtutil
ecmangen.exe was removed from the Windows 10 SDK starting from 10.0.16299.15
Parallel installations of Windows SDK are allowed.
In this case, was installed alongside the latest SDK version.
csc.exe is included in the Microsoft .NET Framework.
.NET Framework is native to Windows Operating Systems.
The Framework's version depends on the OS installed.
wevtutil is a command native to the Command Prompt
Open ecmangen.exe
:
Create a new provider:
On the left panel, right click on Events Section
then select New -> Provider.
Fill up the following fields:
FIELD
VALUE
Name
WEF-Events
Symbol
WEF_Events
GUID
Press "New" beside the input field
Resources
C:\Windows\System32\WEF-Events.dll
Messages
C:\Windows\System32\WEF-Events.dll
On the right panel, click on Save
. Then, create a new template:
On the left panel, under WEF-Events
, select Templates
.
On the right panel, select New Template
.
Fill up the following fields:
FIELD
VALUE
Name
WEF-Template
Add Field Attributes
:
Name
InType
OutType
Count
Length
Unicode
win:UnicodeString
xs:string
default
default
UInt32
win:UInt32
xs:unsignedInt
default
-
On the right panel, click Save
.
Create channels (maximum of 8):
On the left panel, under WEF-Events
, select Channels
.
On the right panel, select New Channel
.
Fill up the following fields:
NAME
SYMBOL
TYPE
ENABLE
DESCRIPTION
CHANNEL SECURITY
WEF-Security
WEF_Security
Operational
Yes
DC Security Logs
Default
WEF-System
WEF_System
Operational
Yes
DC System Logs
Default
WEF-PowerShell
WEF_PowerShell
Operational
Yes
DC PowerShell Logs
Default
WEF-Sysmon
WEF_Sysmon
Operational
Yes
DC Sysmon Logs
Default
On the right panel, click Save
.
Create a new event:
On the left panel, under WEF-Events
, select Events
.
On the right panel, select New Event
.
Fill up the following fields:
FIELD
VALUE
Symbol
WEF_Event
Event ID
6969
Message
$(string.WEF-Events.event.6969.message)
Channel
WEF-Security
Template
WEF-Template
Keywords
`win:AuditSuccess`, `win:AuditFailure`
On the right panel, click on Save
.
Save the manifest file as "WEF_Events.man"
Avoid using the character, '-
', in the filename.
The generated C# file during compiling will face an error.
Resulting manifest file (XML formatted):
Press Win
+ R
then enter cmd
and navigate to where WEF_Events.man
was saved. Then, enter the following commands:
1. mc.exe (Message Compiler)
The compiler generates the message resource files to which your application links.
Switches used:
OPTION
DESCRIPTION
-css <namespace>
Generates a static C# class
It includes the methods that you would call to log the events defined in your manifest
File(s) generated after execution:
MSG00001.bin
WEF_Events.cs
WEF_Events.h
WEF_Events.rc
WEF_EventsTEMP.bin
2. rc.exe (Resource Compiler)
rc.exe
compiles an application's resources and could be used to build Windows-based applications.
File(s) generated after execution:
WEF_Events.res
3. csc.exe (C# Compiler)
No output means the command was successfully executed
Switches used:
OPTION
DESCRIPTION
/win32res:<file>
Specify a Win32 resource file (.res)
/unsafe
Allow 'unsafe' code
/target:library
Build a library (Short form: /t:library)
/out:<file>
Specify output file name (default: base name of file with main class or first file)
File(s) generated after execution -- WEF_Events.dll
Move both files to the C:\Windows\System32
directory:
Install the manifest file using wevtutil
:
Applications and Services Logs
inside Event ViewerThe logs generated could be used for created subscriptions.
Additional columns could be added/removed from the logs (e.g. Log
, Computer
)