# converts Windows Event Logs (EVTX) into pandas DataFrames / CSV files
## pip install evtx2df
### Tested against Windows 10 / Python 3.10 / Anaconda
This script provides a convenient way to convert EVTX data into a structured DataFrame format using Pandas, which can facilitate further data analysis, exploration, and visualization.
### To extract strings from individual files:
```python
# Converts evtx into csv from the command line:
python path_to_the_package\__init__.py "C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx" "C:\Microsoft-Windows-AppReadinessAdmin.csv"
# as well as in a python script, and ...
from evtx2df import dataframe_from_evtx
df = dataframe_from_evtx(
evtx_file_path=r"C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx"
)
print(df[19:25].to_string())
aa_value aa_key_0 aa_key_1 aa_key_2 aa_key_3 aa_key_4 aa_event_record_id aa_timestamp aa_kind_of_event
19 1 Event System Task <NA> <NA> 1298 2023-03-25 03:07:30.497541+00:00 <NA>
20 2023-03-25T03:07:30.497541Z Event System TimeCreated #attributes SystemTime 1298 2023-03-25 03:07:30.497541+00:00 <NA>
21 0 Event System Version <NA> <NA> 1298 2023-03-25 03:07:30.497541+00:00 <NA>
22 http://schemas.microsoft.com/win/2004/08/events/event Event #attributes xmlns <NA> <NA> 1297 2023-03-25 03:07:30.497538+00:00 <NA>
23 72 Event EventData TaskCount <NA> <NA> 1297 2023-03-25 03:07:30.497538+00:00 <NA>
24 install::Microsoft.MicrosoftEdge_8wekyb3d8bbwe Event EventData TaskId <NA> <NA> 1297 2023-03-25 03:07:30.497538+00:00 <NA>
# ... finds all evtx files on your HDD
evtxdf=list_all_evtx_files_in_path(hdd='c:\\')
print(evtxdf[11:15].to_string())
aa_path aa_name aa_path_only aa_size aa_size_on_disk aa_created aa_last_written aa_last_accessed aa_descendents aa_read_only aa_archive aa_system aa_hidden aa_offline aa_not_content_indexed_file aa_no_scrub_file aa_integrity aa_pinned aa_unpinned aa_directory_flag aa_compressed aa_encrypted aa_sparse aa_reparse aa_attributes
11 C:\Windows\System32\winevt\Logs\Visual Studio.evtx Visual Studio.evtx C:\Windows\System32\winevt\Logs 69632 69632 b'2023-03-30 19:39:28' b'2023-03-31 19:54:38' b'2023-03-31 19:54:38' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32
12 C:\Windows\System32\winevt\Logs\Squid Service Log.evtx Squid Service Log.evtx C:\Windows\System32\winevt\Logs 69632 69632 b'2023-03-25 05:52:15' b'2023-03-25 12:53:59' b'2023-03-25 12:53:59' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32
13 C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx Microsoft-Windows-Sysmon%4Operational.evtx C:\Windows\System32\winevt\Logs 18944000 18944000 b'2023-05-17 23:15:01' b'2023-05-18 00:59:07' b'2023-05-18 00:59:07' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32
14 C:\Windows\System32\winevt\Logs\State.evtx State.evtx C:\Windows\System32\winevt\Logs 69632 69632 b'2023-03-24 23:46:26' b'2023-03-25 00:06:45' b'2023-03-25 00:06:45' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32
```
Raw data
{
"_id": null,
"home_page": "https://github.com/hansalemaos/evtx2df",
"name": "evtx2df",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "EVTX,csv,convert,pandas",
"author": "Johannes Fischer",
"author_email": "aulasparticularesdealemaosp@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/5a/ff/34c44fc8dad59c9860c36b64e7d305c38b081d195566fc7312f4d64fde47/evtx2df-0.10.tar.gz",
"platform": null,
"description": "# converts Windows Event Logs (EVTX) into pandas DataFrames / CSV files\r\n\r\n## pip install evtx2df\r\n\r\n### Tested against Windows 10 / Python 3.10 / Anaconda\r\n\r\n\r\nThis script provides a convenient way to convert EVTX data into a structured DataFrame format using Pandas, which can facilitate further data analysis, exploration, and visualization.\r\n\r\n\r\n### To extract strings from individual files:\r\n\r\n```python\r\n# Converts evtx into csv from the command line:\r\npython path_to_the_package\\__init__.py \"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx\" \"C:\\Microsoft-Windows-AppReadinessAdmin.csv\"\r\n\r\n# as well as in a python script, and ...\r\nfrom evtx2df import dataframe_from_evtx\r\ndf = dataframe_from_evtx(\r\n evtx_file_path=r\"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx\"\r\n)\r\n\r\n\r\nprint(df[19:25].to_string())\r\n aa_value aa_key_0 aa_key_1 aa_key_2 aa_key_3 aa_key_4 aa_event_record_id aa_timestamp aa_kind_of_event\r\n19 1 Event System Task <NA> <NA> 1298 2023-03-25 03:07:30.497541+00:00 <NA>\r\n20 2023-03-25T03:07:30.497541Z Event System TimeCreated #attributes SystemTime 1298 2023-03-25 03:07:30.497541+00:00 <NA>\r\n21 0 Event System Version <NA> <NA> 1298 2023-03-25 03:07:30.497541+00:00 <NA>\r\n22 http://schemas.microsoft.com/win/2004/08/events/event Event #attributes xmlns <NA> <NA> 1297 2023-03-25 03:07:30.497538+00:00 <NA>\r\n23 72 Event EventData TaskCount <NA> <NA> 1297 2023-03-25 03:07:30.497538+00:00 <NA>\r\n24 install::Microsoft.MicrosoftEdge_8wekyb3d8bbwe Event EventData TaskId <NA> <NA> 1297 2023-03-25 03:07:30.497538+00:00 <NA>\r\n\r\n# ... finds all evtx files on your HDD\r\n\r\nevtxdf=list_all_evtx_files_in_path(hdd='c:\\\\')\r\n\r\nprint(evtxdf[11:15].to_string())\r\n aa_path aa_name aa_path_only aa_size aa_size_on_disk aa_created aa_last_written aa_last_accessed aa_descendents aa_read_only aa_archive aa_system aa_hidden aa_offline aa_not_content_indexed_file aa_no_scrub_file aa_integrity aa_pinned aa_unpinned aa_directory_flag aa_compressed aa_encrypted aa_sparse aa_reparse aa_attributes\r\n11 C:\\Windows\\System32\\winevt\\Logs\\Visual Studio.evtx Visual Studio.evtx C:\\Windows\\System32\\winevt\\Logs 69632 69632 b'2023-03-30 19:39:28' b'2023-03-31 19:54:38' b'2023-03-31 19:54:38' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32\r\n12 C:\\Windows\\System32\\winevt\\Logs\\Squid Service Log.evtx Squid Service Log.evtx C:\\Windows\\System32\\winevt\\Logs 69632 69632 b'2023-03-25 05:52:15' b'2023-03-25 12:53:59' b'2023-03-25 12:53:59' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32\r\n13 C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Sysmon%4Operational.evtx Microsoft-Windows-Sysmon%4Operational.evtx C:\\Windows\\System32\\winevt\\Logs 18944000 18944000 b'2023-05-17 23:15:01' b'2023-05-18 00:59:07' b'2023-05-18 00:59:07' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32\r\n14 C:\\Windows\\System32\\winevt\\Logs\\State.evtx State.evtx C:\\Windows\\System32\\winevt\\Logs 69632 69632 b'2023-03-24 23:46:26' b'2023-03-25 00:06:45' b'2023-03-25 00:06:45' 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 32\r\n\r\n\r\n```\r\n\r\n\r\n\r\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "converts Windows Event Logs (EVTX) into pandas DataFrames / CSV files",
"version": "0.10",
"project_urls": {
"Homepage": "https://github.com/hansalemaos/evtx2df"
},
"split_keywords": [
"evtx",
"csv",
"convert",
"pandas"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "393724da68e7f658ebc875632b023da0661e378c6cf71fa0e2785b12cb2b78ee",
"md5": "15053f7d2e563228b2efa11bfdea8f91",
"sha256": "b536ce183610ebcc0ce270e216d7befc9ae1b1a9c4257fffd07c37a186ba3987"
},
"downloads": -1,
"filename": "evtx2df-0.10-py3-none-any.whl",
"has_sig": false,
"md5_digest": "15053f7d2e563228b2efa11bfdea8f91",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 12990,
"upload_time": "2023-05-18T04:28:32",
"upload_time_iso_8601": "2023-05-18T04:28:32.386889Z",
"url": "https://files.pythonhosted.org/packages/39/37/24da68e7f658ebc875632b023da0661e378c6cf71fa0e2785b12cb2b78ee/evtx2df-0.10-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "5aff34c44fc8dad59c9860c36b64e7d305c38b081d195566fc7312f4d64fde47",
"md5": "83d0d4abec92103d29c6b6560c06b62a",
"sha256": "e7aa33eda4c499d525ae925d0930abe8afa0ba2eec4f50e3710439ed8b4edccd"
},
"downloads": -1,
"filename": "evtx2df-0.10.tar.gz",
"has_sig": false,
"md5_digest": "83d0d4abec92103d29c6b6560c06b62a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 12856,
"upload_time": "2023-05-18T04:28:34",
"upload_time_iso_8601": "2023-05-18T04:28:34.663086Z",
"url": "https://files.pythonhosted.org/packages/5a/ff/34c44fc8dad59c9860c36b64e7d305c38b081d195566fc7312f4d64fde47/evtx2df-0.10.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-05-18 04:28:34",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "hansalemaos",
"github_project": "evtx2df",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "a_pandas_ex_apply_ignore_exceptions",
"specs": []
},
{
"name": "a_pandas_ex_horizontal_explode",
"specs": []
},
{
"name": "Evtx",
"specs": []
},
{
"name": "flatten_any_dict_iterable_or_whatsoever",
"specs": []
},
{
"name": "getfilenuitkapython",
"specs": []
},
{
"name": "pandas",
"specs": []
},
{
"name": "python_evtx",
"specs": []
},
{
"name": "touchtouch",
"specs": []
},
{
"name": "uffspd",
"specs": []
},
{
"name": "ujson",
"specs": []
}
],
"lcname": "evtx2df"
}
JSON
