I'm releasing version 1.0.8 of my Windows Event Log Parser library and tools collection. While there are only minor enhancements to the library, the distribution format has been changed significantly. I apologize for any inconvenience this may cause. The archive is available for download here.
The most important changes from version 1.0.7 are:
All objects derived from BxmlNode will now emit a short hex dump in case of an unknown opcode. Please forward me these dumps if possible in order to help me improve the program.
Evtx.pm now reads the number of the oldest chunk from the file header and exposes it through the OldestChunk property. Please note that the first chunk doesn't have to be the oldest one. The evtxinfo.pl sample program has been modified to indicate the oldest and the currently active chunk, as shown in the following example:
$ evtxinfo.pl rotated.evtx Information from file header: Format version : 3.1 Flags : 0x00000000 File is: clean Log is full: no Current chunk : 2 of 16 Oldest chunk : 3 Next Record# : 5257 Check sum : pass
Information from chunks:
Chunk file (first/last) log (first/last) Header Data - ----- --------------------- --------------------- ------ ------ 1 4681 4976 4902 5197 pass pass * 2 4977 5035 5198 5256 pass pass > 3 593 888 814 1109 pass pass 4 889 1135 1110 1356 pass pass 5 1136 1431 1357 1652 pass pass ...
The asterisk (*) marks the current chunk and the angular bracket (>) indicates the oldest chunk.
Richard W. M. Jones provided online help in POD format for the sample programs. He also initiated a major change to the distribution format and provided me with a makefile. Thank you very much!
From now on distribution files will be named Parse-Evtx-<version>.zip; Parse-Evtx-current.zip will point to the current version. The old name EvtxParse-current.zip will be maintained for backward compatibility.
The library and sample programs can now be installed the usual way:
$ perl Makefile.pl $ make $ sudo make install