A fast, modern Windows Event Log viewer built with Rust and egui — a powerful alternative to the traditional Event Viewer.
EventSleuth provides a streamlined interface for viewing and analyzing Windows Event Logs. Built with performance in mind, it handles 100,000+ events smoothly using virtual scrolling and background-threaded queries.
- Fast Event Queries - Background-threaded log queries that don't block the UI
- Virtual Scrolling - Handle 100k+ events without performance degradation
- Composable Filters - Build complex filters with multiple criteria
- Filter by event level (Information, Warning, Error, Critical)
- Filter by source
- Filter by event ID
- Filter by time range
- Search event messages
- Export Options - Export filtered results to:
- CSV format
- JSON format
- Modern UI - Clean, intuitive interface built with egui
- Real-time Updates - Monitor logs as events occur
- Multiple Log Sources - Access all Windows event log channels
- Application
- Security
- System
- Setup
- Custom application logs
- Windows 10 or later
- Administrator privileges (for accessing certain event logs)
Download the latest release from the Releases page.
git clone https://github.com/Swatto86/EventSleuth.git
cd EventSleuth
# Build release version
cargo build --release
# Run
cargo run --release- Launch EventSleuth (run as Administrator for full access)
- Select an event log channel from the dropdown
- Events will load in the background
- Use filters to narrow down results
- By Level: Select one or more severity levels (Info, Warning, Error, Critical)
- By Source: Filter by event source/provider
- By Event ID: Enter specific event IDs to display
- By Time: Set a date/time range for events
- By Message: Search within event descriptions
- Apply your desired filters
- Click the "Export" button
- Choose CSV or JSON format
- Select save location
- Filtered events will be exported with all details
EventSleuth is designed for performance:
- Background Threading: Event queries run in separate threads to keep the UI responsive
- Virtual Scrolling: Only visible events are rendered, allowing smooth scrolling through massive logs
- Efficient Filtering: Filters are applied efficiently without re-querying the entire log
- Memory Efficient: Uses Rust's ownership system to minimize memory usage
- System Troubleshooting - Quickly find error events and their causes
- Security Auditing - Review security events and access patterns
- Application Debugging - Monitor application-specific event logs
- Compliance Reporting - Export filtered logs for compliance documentation
- Performance Analysis - Track system events over time
- Incident Response - Rapidly search and filter during investigations
- Rust - Systems programming language for performance and reliability
- egui - Immediate-mode GUI framework for native desktop apps
- Windows Event Log API - Direct Windows API integration for log access
EventSleuth uses a multi-threaded architecture:
┌─────────────┐
│ UI Thread │ ◄──── User interactions, rendering
└──────┬──────┘
│
▼
┌──────────────────┐
│ Query Threads │ ◄──── Background event log queries
└──────┬───────────┘
│
▼
┌──────────────────┐
│ Windows Event │
│ Log API │
└──────────────────┘
Events are fetched in the background and streamed to the UI, allowing for responsive interaction even with large log files.
| Shortcut | Action |
|---|---|
| Ctrl+F | Focus search filter |
| Ctrl+E | Toggle export dialog |
| Ctrl+R | Refresh current log |
| F5 | Refresh current log |
| Escape | Clear filters |
| Feature | EventSleuth | Event Viewer |
|---|---|---|
| Performance | Fast virtual scrolling | Slow with large logs |
| Filtering | Composable, multi-criteria | Limited filtering |
| Export | CSV, JSON | XML only |
| UI | Modern, responsive | Traditional, dated |
| Search | Full-text search | Basic find |
| Threading | Background queries | Blocks on large queries |
Some event logs require administrator privileges. Run EventSleuth as Administrator:
- Right-click
EventSleuth.exe - Select "Run as administrator"
If no events appear:
- Verify the selected log channel exists
- Check that the Windows Event Log service is running
- Ensure you have permissions to access the selected log
For optimal performance:
- Use filters to reduce the number of displayed events
- Close other resource-intensive applications
- Ensure your system meets minimum requirements
EventSleuth supports runtime-selectable debug logging via the RUST_LOG environment variable. Debug mode is disabled by default in release builds and incurs zero overhead in normal operation.
Activation:
# PowerShell — run with debug logging
$env:RUST_LOG = "debug"; .\EventSleuth.exe
# For maximum detail (trace level)
$env:RUST_LOG = "trace"; .\EventSleuth.exeLog file location: %LOCALAPPDATA%\EventSleuth\logs\eventsleuth.log
The log file is always written at debug level regardless of the RUST_LOG setting. It rotates automatically when it exceeds 5 MB (the previous log is preserved as eventsleuth.log.old).
Output includes: timestamps, module paths, function entry/exit, decision points, state transitions, OS-level interactions, and error chains. Secrets, tokens, and PII are never logged.
- Rust 1.70 or later
- Windows 10 SDK
- Visual Studio Build Tools (for Windows API bindings)
# Debug build
cargo build
# Release build
cargo build --release
# Run tests
cargo test
# Run with logging
RUST_LOG=debug cargo runEventSleuth/
├── src/
│ ├── main.rs # Application entry point, single-instance guard
│ ├── app.rs # App state, eframe::App impl, DWM startup cloaking
│ ├── app_actions.rs # Export, keyboard shortcuts, About dialog
│ ├── lib.rs # Library crate re-exports for integration tests
│ ├── core/ # Event log API, parsing, filtering
│ ├── ui/ # UI panel components and theme
│ ├── export/ # CSV and JSON export
│ └── util/ # Constants, error types, time helpers
├── tests/ # Integration / E2E tests
├── assets/
│ ├── app.manifest # UAC and DPI manifest
│ └── icon.ico # Auto-generated application icon
├── .github/workflows/
│ ├── ci.yml # CI: fmt, clippy, test, build on every push/PR
│ └── release.yml # Release: build + publish on version tag
├── build.rs # Icon generation + Windows resource embedding
├── update-application.ps1 # Automated version bump, tag, and release
├── PROJECT-ATLAS.md # Architectural reference (Part B)
├── Cargo.toml # Dependencies
└── README.md
Contributions are welcome! Please feel free to submit issues or pull requests.
This project is licensed under the MIT License - see the LICENSE file for details.
- Built with egui - Excellent Rust GUI framework
- Inspired by Event Viewer and other system monitoring tools
- Thanks to the Rust community for excellent libraries and support
Part of the Swatto Tools collection