Mac OS/X – Reading Microsoft Windows Event Log file (*.evtx) files

Prelude

As always, it is one inter-operability problem or another.

I need to send Windows Event Viewer Log files (*.evtx) to a colleague whose primary work computer is a Mac OSX.

 

Options

So what to do, tried using the App Store.

App Store - evtx

But, got no help.

Next goggled for help.

Found a gem in:

Cross-platform Windows Event Log viewer
http://jrs-s.net/2011/03/11/cross-platform-windows-event-log-viewer/

which led me to :

Windows Event Log Viewer (evtx_view)
http://www.tzworks.net/prototype_page.php?proto_id=4

tried to install the version for OSX (evtx_view.v.0.69.osx.tar.gz), but the system barked at me, that I needed X11 server and client libraries for OS X Mountain Lion.

Which in turn led me to XQuartz project: http://xquartz.macosforge.org. You should use XQuartz version 2.7.2 or later.

So please go ahead to http://xquartz.macosforge.org/landing/ and download XQuartz-2.7.4.dmg.

X Quartz

Thanks goodness that the version# is part of the dmg file’s name.  And, that version# is 2.7.4.  We needed at minimum a 2.7.2 and so this particular version should be sufficient.

Install XQuartz-2.7.4.dmg

The install base is quite big; about 200 MB.

XQuartz 2.7.4 Installer

So this installs several utilities, including:

  • An XWindows sub-system (that allows Unix type applications to be used on a Mac)

When we tried running the App (evtx_view):


./evtx_view

We received an error message stating:


FXApp::openDisplay: unable to open display :0.0

So what to does that error mean. Goggled and shouted for help and was able to determine that Xwindows needed to be installed and running.

To initiate an X-Windows Session, the best help I found are:

Installing FXRuby on OS X (Matthew Bass)
http://www.matthewbass.com/2008/06/02/installing-fxruby-on-os-x/

You should see an error message that looks something like this:

FXRbApp::openDisplay: unable to open display :0.0
It means your X11 terminal isn’t running. You can find it in /Applications/Utilities. Double click to launch. If you roll with Quicksilver, you should be able to type in X11 and launch it that way. Once launched, run the Ruby script again and you should see a tiny window with the title “Hello World.”

But, since X Windows support on Mac is now an Open Source project, you want to look for /Applications/Utilities/XQuartz

XQuartz

Once XQuartz is running, please go back and run evtx_view


./evtx_view

 

And, you should now see a running XApp App.

EventLog viewer

 

And, yes we are able to read MS Windows Log Files on Mac OS/X via this free rool evtx_view.  But, I am a bit put-back that the visually it is a bit lacking.

But, that only means that the data format is XML or at least published and well understood and that the display just needs to be worked-on.

References:

 

3 thoughts on “Mac OS/X – Reading Microsoft Windows Event Log file (*.evtx) files

    • Fernando:

      No, no problems during my initial analysis.

      But, please keep in mind that was over a year ago.

      At that time I reviewed version 0.69, and the current version bis 0.76.

      Which version are you running? If not the latest, can you please try downloading that version.

      Some vendors place hard time limits on their applications.

      All the best,

      Daniel

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s