Vista event log

How to Sort Event Records

In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to its end and emits event records as they appear in the file. In most cases this will be in the opposite direction, from the lowest to the highest EventRecordID. But to make things worse, logs can be configured to wrap around, so the record with the lowest number may be found somewhere in the middle. A tool to sort event records in XML format by their EventRecordID would come in handy!

Fortunately the log file already exists in XML format. It should be easy to come up with an XML transformation to sort its records. An article by Bob DuCharme provides a great introduction and lots of sample code. In particular example xq437.xsl on page 3 looked promising to me. Now I only had to adjust a couple of element names and the namespace. Here's the final XSLT script:


<?xml version="1.0" encoding="UTF-8" ?>

<xsl:stylesheet version="1.0" 
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
  xmlns:evtx="http://schemas.microsoft.com/win/2004/08/events/event">
  
  <xsl:output method="xml" indent="yes" encoding="UTF-8"/>
  <xsl:strip-space elements="*" />
  
  <xsl:template match="Events">
    <xsl:copy>
      <xsl:apply-templates select="evtx:Event">
        <xsl:sort select="evtx:System/evtx:EventRecordID" 
          data-type="number" 
          order="ascending"/>
        </xsl:apply-templates>
      </xsl:copy>
  </xsl:template>
  
  <xsl:template match="*">
    <xsl:copy>
      <xsl:apply-templates/>
    </xsl:copy>
  </xsl:template>
</xsl:stylesheet>

You should be able to run it in any XSLT processor, like Sablotron, Xalan, or SAXON. I already had libxslt installed, so I used their xsltproc command line tool:
xsltproc evtxsort.xsl mylog.xml > mylog.sorted.xml
Now, event records are formatted nicely and appear in ascending order.

You can customize this script to your needs, e.g. sorting records in descending order, or sorting by EventID, or writing a summary report, or ...

Posted by Andreas Schuster on February 8, 2010 04:00 PM |