Events (Crimson / EVTX)

 

Windows operating systems prior to Windows Vista use the standard (EVT) event logging format.  Windows Vista and later clients and Windows 2008 and later servers use the newer EVTX (Crimson) event log format.  Hyena will automatically detect if a remote system is using the EVT vs the EVTX event log format and use the appropriate functions.  If using Hyena to read from an older EVT-based event system, see the Events (Standard / EVT) topic.  

 

Alternately, Hyena can be configured to always use the older EVT functions to read all event logs (EVT or EVTX logs).  To force Hyena to always use the older EVT event log functions, set the advanced EnableCrimsonLogs setting to FALSE under Tools > Settings > Advanced.

 

In addition to integration with the Windows native Event Viewer utility, Hyena also incorporates its own event viewing mechanism. The event log for a server or workstation can be accessed several different ways:

 

By double-clicking or right clicking on the Events object under any computer displayed in the left tree window.

 

By expanding the Events object (clicking on the 'plus' sign next to Events) and selecting the event log to view.

 

Selecting the Event Viewer option from any of Hyena's event context menus will run the native MMC Windows event viewer for the selected computer. The remainder of this help section describes the options available when using Hyena's integrated event viewing options.

 

To view the details of a specific event, simply double-click an event. The event properties window will display all of the event details, and allow going to the previous/next event.

 

Navigating the EVTX Event Log Tree

 

Microsoft has created a large number of specialized event logs in addition to the standard System, Application, and Security logs. When expanding the main 'Events' node under any EVTX-capable computer, Hyena will first display the standard event logs, then any specialized folders created in the EVTX system. The 'Microsoft' folder will be present for all systems, plus any vendor-specific EVTX event folders.

 

Due to the large number of event logs, by default Hyena will hide any disabled event logs. To show disabled EVTX logs, set the advanced setting ShowDisabledCrimsonLogs to TRUE under Tools > Settings > Advanced.

 

Event Viewing Options

 

Displaying Event Logs

 

To display EVTX logs, either double-click on the EVTX event log name in Hyena's left tree window, or select 'View Events' from the context menu.

 

Hyena will automatically retrieve 100 event logs at a time. Sorting or scrolling to the end of the current list will automatically retrieve additional logs.

 

Controlling Display Columns

 

To change the order or add/remove display columns, select Tools > Settings > Display, change the Display Mode to 'EVTX Events', and change the display fields. Avoid adding fields not needed to increase retrieval performance. The description column may cause a delay in retrieval performance.

 

Viewing Event Details

 

To view the details on an event, double-click the event in Hyena's right window. Use the Up/Down button on the Event Properties to move to the Previous/Next event from the underlying list.

 

Filtering Options

 

Hyena does not currently support filtering EVTX event logs.  This will be addressed in a future release.  To filter events using the older EVT functions, either:

 

Right click on the main Events object under any computer displayed in the left tree window, and select Filter Events.

 

Right click on any computer in the right list window, and select Events > Filter Events.

 

For more information on filtering options, see the Events (Standard / EVT) > Filtering Events topic.

 

Opening and Backing Up Event Logs

 

Backing up Event Logs

 

To create a backup on an event log, right click on the EVTX log, and select 'Backup Event Log...". The log will be created in the .evtx format.

 

Linking to Event Log Backups

 

Links can be created (and removed) to previously-saved backup logs by using the Saved Logs object under any Events node for a computer. These backup logs will always be visible under the Saved Logs object for the server from which the logs were created.

 

Viewing Backup Logs

 

To simply view the contents of a saved backup log, right click on the main Events node and select Open Log File.