Query .evtx converted to .xml

Question

Having used evtx_dump.py to convert .evtx files to .xml i seek to learn how to query it using XQuery or whatever helps me datamine the document using BaseX.

At this point whatever i try i can only query the whole document using //Events

When i define a path such as //Events/Event/System/[EventID = '4688'] i get 0 results.

This first query is to simply track all specific EventID matching a specific value.

Being new to BaseX and XQuery i found the documentation hard to apply to this use case.

I looked for tools to help me build an XQuery to no avail.

BaseX has all index features enabled i could find.

Br,

Joris

Answer 1

When XQuery fails to return data you are expecting it is often caused by the presence XML namespaces.

The Microsoft XML event log uses a XML namespace on Event nodes and it is inherited by their children. This is the xmlns='http://schemas.microsoft.com/win/2004/08/events/event' you can see in the files. E.g

    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
   <System><Provider Name='SideBySide'/><EventID Qualifiers='49409'>59</EventID><Version>0</Version>
    ...

Your XQuery must adjust for that. Either by saying any namespace is ok (using *:)

//*:System/[*:EventID = '4688'] 

or by explicitly specifing the expected namespaces.

declare namespace ns="http://schemas.microsoft.com/win/2004/08/events/event";
/Events/ns:Event/ns:System[ns:EventID= '4688' ]

See this similar issue xquery-not-working-with-namespaces