GrokEVT 0.3.0 review
DownloadGrokEVT is a collection of scripts built for reading Windows NT event log files
|
|
GrokEVT is a collection of scripts built for reading Windows NT event log files. GrokEVT is released under the GNU GPL, and is implemented in Python. GrokEVT is loosely based on the PHP script and documentation provided by Jamie French.
Currently the scripts work together on one or more mounted Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.
Requirements:
RegLookup - This must be installed in your PATH.
Python version 2.3 or 2.4 (earlier 2.x may also work.)
Linux. Currently, due to windows partition mounting requirements, only Linux has been tested successfully. However, BSD systems may work if the right mounting options are used.
What's New in This Release:
Initial Jnicode support has been added.
Windows UTF-16 is properly read from logs, and output is optionally produced in UTF-8.
A new option has been added for printing log meta information, which is helpful in determining a log's level of corruption.
A new script, grokevt-addlog, has been introduced.
This allows one to add raw log files to an existing message template database.
There is a much improved log parsing algorithm, which works with wrapped and fragmentary logs.
Multiple bugfixes and improved exception handling.
GrokEVT 0.3.0 search tags