A high-performance, reliable Command Line Interface (CLI) tool designed to convert Windows Event Log (** .evtx **) files into JSON format.
Unlike standard converters, this tool is built for Digital Forensics and Incident Response (DFIR). It is specifically engineered to handle corrupted records, malformed XML, and the notorious utf-16-le encoding errors that often crash other parsers.
- XML Sanitization: Automatically strips illegal control characters and null bytes that break standard XML parsers.
- Memory Efficient: Uses a generator-based approach to process massive "Security" or "System" logs without exhausting RAM.
- Fault Tolerant: Skips individual corrupted records while ensuring the rest of the file is successfully converted.
- Analysis Ready: Converts Windows timestamps into standardized ISO 8601 strings.
Before running the script, ensure you have Python 3.8+ installed.
You must install the following dependencies:
python-evtx: For parsing the binary structure of.evtxfiles.xmltodict: For converting sanitized XML data into clean Python dictionaries (JSON compatible).
Clone the repository and install the dependencies using pip:
# Clone the repository
git clone https://github.com/sto-yan06/evtx2json.git
cd evtx2json
# Install dependencies
pip install -r requirements.txt
- Save to a JSON file
python evtx2json.py System.evtx -o system_logs.json
- Stream to Terminal
python evtx2json.py Security.evtxHandling Encoding & "Not Well-Formed" Errors Windows logs frequently contain non-printable characters or "junk" data in the binary stream. If you see messages like Skipping a record due to encoding error, it means the script has successfully isolated a corrupted event and moved on to the next one to protect the integrity of your total output.