FS_Misc_Eventlog
The directory misc/eventlog exists as a sub-directory to the file system root.
The directory contains event log files extracted from memory.
Files in the misc/eventlog directory is read-only.
The event log files are also found in other locations, such as under the event logging svchost service. Access via the misc/eventlog directory may be more convenient though.
Event logs recovered from memory are likely to be partially corrupt with older pieces of data missing. The event logs sometimes work to open as-is and sometimes they would have to be repaired by a 3rd party tool
If opening the event logs in Event Viewer they must first be copied to a writable folder, such as C:\Temp. It will not be possible to open the event log files with Event Viewer directly from the misc/eventlog directory.
Also 3rd party tools may be used to better extract information from the event logs. An example of such a tool is Zimmermans EvtxECmd.
The example shows the misc/eventlog directory. The powershell log is copied to a writable folder on C: and then opened in the Event Viewer.
The misc/eventlog sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_misc_eventlog.c in the vmm project.