Skip to content

Latest commit

 

History

History
78 lines (51 loc) · 2.66 KB

evtxls.md

File metadata and controls

78 lines (51 loc) · 2.66 KB

Command-Line Help for evtxls

This document contains the help content for the evtxls command-line program.

Command Overview:

evtxls

Display one or more events from an evtx file

Usage: evtxls [OPTIONS] [EVTX_FILES]...

Arguments:
  • <EVTX_FILES> — Name of the evtx files to read from
Options:

  • -d, --delimiter <DELIMITER> — use this delimiter instead of generating fixed space columns

  • -i, --include <INCLUDED_EVENT_IDS> — List events with only the specified event ids, separated by ','

  • -x, --exclude <EXCLUDED_EVENT_IDS> — Exclude events with the specified event ids, separated by ','

  • -C, --color <DISPLAY_COLORS> — highlight interesting content using colors

    Default value: auto

    Possible values: auto, always, never

  • -f, --from <NOT_BEFORE> — hide events older than the specified date (hint: use RFC 3339 syntax)

  • -t, --to <NOT_AFTER> — hide events newer than the specified date (hint: use RFC 3339 syntax)

  • -r, --regex <HIGHLIGHT> — highlight event data based on this regular expression

  • -s, --sort <SORT_ORDER> — sort order

    Default value: storage

    Possible values:

    • storage: don't change order, output records as they are stored
    • record-id: sort by event record id
    • time: sort by date and time

  • -b, --base-fields <DISPLAY_SYSTEM_FIELDS> — display fields common to all events. multiple values must be separated by ','

    Default values: event-id, event-record-id

    Possible values:

    • event-id: The identifier that the provider used to identify the event
    • event-record-id: The record number assigned to the event when it was logged
    • activity-id: A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity
    • related-activity-id: A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier
    • process-id: The ID of the process that created the event

  • -B, --hide-base-fields — don't display any common event fields at all. This corresponds to specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)

    Default value: false

    Possible values: true, false

  • -v, --verbose — Increase logging verbosity

  • -q, --quiet — Decrease logging verbosity

This document was generated automatically by clap-markdown.