Wednesday, October 3, 2007

New EVTX Log Format Whitepaper Released

Earlier this week, we released a new whitepaper that outlines many of the key changes in the new EVTX event log format found in both Microsoft Vista and Windows Server 2008. We've included some choice pull quotes below, but you can download the full version by registering here:

Beginning with Microsoft® Windows Vista™ and Windows Server® 2008, Microsoft has completely redesigned its event log format. This new EVTX file format stores event log records as a stream of binary XML records. Accessing data in the new EVTX files requires the use of a new application programming interface that is not available in older Windows operating systems. In addition, the number of, structure of, and data within the fields in the EVTX log records has changed significantly.

Because the new Windows Event Log API functions are only available inside Windows Vista and later operating systems, legacy Windows operating systems like XP and 2003 cannot read previously saved EVTX files at all - there is simply no forward compatibility for consuming saved EVTX files. And while the legacy Event Log API can be used to read some of the events from an "active" EVTX file (that is to say an EVTX file currently being maintained by the EventLog service on a Vista machine), it cannot properly read and parse some events recorded by the new API.

In summary, both forward compatibility to EVTX files from legacy Windows operating systems and backward compatibility to EVT files are severely hampered, if available at all. As a result, organizations that rely on their own scripts and automation techniques may be tempted to develop two different systems for log management - one supporting legacy EVT files on legacy operating systems, and another supporting EVTX files on Windows Vista and Windows Server 2008. Such a strategy has the potential to decentralize log collection and reporting, as well as substantially increase costs over time.

Again, to read the full version, please register here:

No comments: