evtxtools 1.12.1

tools for the analysis of evtx files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

use clap::{Parser, ValueEnum};

use super::{Rfc3339Datetime, SystemField};
use regex::Regex;

#[derive(ValueEnum, Clone)]
pub(crate) enum SortOrder {
    /// don't change order, output records as they are stored
    Storage,

    /// sort by event record id
    RecordId,

    /// sort by date and time
    Time,
}

/// Display one or more events from an evtx file
#[derive(Parser)]
#[clap(author,version,about,long_about=None)]
pub(crate) struct Cli {
    /// Name of the evtx files to read from
    pub(crate) evtx_files: Vec<String>,

    /// use this delimiter instead of generating fixed space columns
    #[clap(short('d'), long("delimiter"))]
    pub(crate) delimiter: Option<char>,

    /// List events with only the specified event ids, separated by ','
    #[clap(
        short('i'),
        long("include"),
        use_value_delimiter = true,
        value_delimiter = ','
    )]
    pub(crate) included_event_ids: Vec<u16>,


    /// Exclude events with the specified event ids, separated by ','
    #[clap(
        short('x'),
        long("exclude"),
        use_value_delimiter = true,
        value_delimiter = ','
    )]
    pub(crate) excluded_event_ids: Vec<u16>,


    /// highlight interesting content using colors
    #[clap(short('c'), long("colors"))]
    pub(crate) display_colors: bool,

    /// hide events older than the specified date (hint: use RFC 3339 syntax)
    #[clap(short('f'), long("from"))]
    pub(crate) not_before: Option<Rfc3339Datetime>,

    /// hide events newer than the specified date (hint: use RFC 3339 syntax)
    #[clap(short('t'), long("to"))]
    pub(crate) not_after: Option<Rfc3339Datetime>,

    /// highlight event data based on this regular expression
    #[clap(short('r'), long("regex"))]
    pub(crate) highlight: Option<Regex>,

    /// sort order
    #[clap(short('s'), long("sort"), value_enum, default_value_t=SortOrder::Storage)]
    pub(crate) sort_order: SortOrder,

    /// display fields common to all events. multiple values must be separated by ','
    #[clap(
        short('b'),
        long("base-fields"),
        value_enum,
        use_value_delimiter=true,
        value_delimiter=',',
        ignore_case=true,
        default_values_t=vec![SystemField::EventId, SystemField::EventRecordId])]
    pub(crate) display_system_fields: Vec<SystemField>,

    /// don't display any common event fields at all. This corresponds to
    /// specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)
    #[clap(short('B'), long("hide-base-fields"), default_value_t=false)]
    pub (crate) hide_base_fields: bool,
}