The Windows Event Log Messages (WELM) tool retrieves the definitions of Windows Event Log messages embedded in binaries. The tool's output can be used to create an exhaustive list of event information for an operating system.
The tool was initially developed to aid in writing the Spotting the Adversary with Windows Event Log Monitoring paper but has proven useful in a number of scenarios:
- Determining if there is an event that captures specific data of interest.
- Diffing event changes between operating system releases.
- Diffing event changes between operating system patch levels (more common in Windows 10).
- Documenting event specific informational fields and their data types which is useful for enriching event collection and analysis systems.
- Determining default states for logs and sources (enabled/disabled, max size, rotation policy, permissions, etc).
- Observing event system changes over time.
For more information see:
- Building WELM - how to build WELM.
- Running WELM - how to run WELM.
- Retrieving Data - how retrieve event data with WELM.
- Datasets - data retrieved with WELM.
Retrieved data is available as a dated (YYYMMDD) zip file attachment on the latest release organized by operating system version and architecture. Expanding the dated zip file attachment results in a number of folders that corresponding to Windows operating system releases along with the architecture version. See the Datasets page for more information about each folder and its corresponding media.
Most of the operating system folders contain two folders: welm and wevtutil. These folders were generated by using a batch file that calls WELM and wevutil. The welm folder contains files generated by the WELM tool. The wevtutil folder contains files generated by using wevutil to dump all log and publisher information. Most users will be interested in the events.csv, logs.csv, and providers.csv files inside the the welm folder for each operating system.
- Spotting the Adversary with Windows Event Log Monitoring
- Event-Forwarding-Guidance repository for the Spotting the Adversary with Windows Event Log Monitoring paper
- Windows 10 and Server 2016 security auditing and monitoring reference