evtx icon indicating copy to clipboard operation
evtx copied to clipboard
verified publisher icon EricZimmerman

Evtxecmd

Open Net4u13 opened this issue 1 year ago • 1 comments

When processing Windows event logs with evtxecmd I frequently see a notice that time just went backwards, but when reviewing the event logs there is not a gap in logs observed. An example provided below. Can you help to explain what this is indicating?

Chunk count: 15,625, Iterating records...
Record #: 172349710 (timestamp: 2024-01-16 13:13:01.3026785): Warning! Time just went backwards! Last seen time before change: 2024-02-16 21:22:16.6101064

Also frequently observe a message stating that a value is not found and is replaced with an empty string. An example provided below. Can you help to explain what this is indicating?

Record # 75146 (Event Record Id: 75146): In map for event 1150, Property /Event/EventData/Data[@Name="Signature version"] not found! Replacing with empty string

Net4u13 avatar Feb 17 '24 19:02 Net4u13

It's just a warning as the records get processed is all. It's based on the order in the file itself vs how things get displayed. It generally can be ignored

The value not found is also informational and just means the key in the map isn't there, so it's going to use an empty string vs null.

Hth

EricZimmerman avatar Feb 17 '24 19:02 EricZimmerman