Support for Applications and Services Logs

[bcharboneauiherb]

We use Sysmon which logs Event Logs to the "Microsoft-Windows-Sysmon/Operational" Channel. Of which, the Regkey is in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels" as opposed to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog"

is it possible to add support for both paths so that we can use logs in both?

[TaLoN1x]

This issue is blocker for me also :(

[TaLoN1x]

This issue makes impossible to recieve logs from Printer-Spooler, DHCP, Operational and many other channels on latest Windows (workstation) and Windows Server versions.
Tested on:
Windows 8.0/8.1
Windows 10 (15xx up to latest)
Windows Server 2016
Windows Server 2019

[Techcadia]

So I have spent some time looking into this and I have found that this is parsing the windows evt logs. By Calling OpenEventLog in the advapi32.dll This only returns items that are the old format.

"
With the release of Windows Vista, Microsoft introduced an updated event log file format. The format used in Windows XP was a circular buffer of record structures that each contained a list of strings. A viewer resolved templates hosted in system library files and inserted the strings into appropriate positions. The newer event log format is proprietary binary XML. Unpacking chunks from an event log file from Windows 7 results in a complete XML document with a variable schema. The changes helped Microsoft tune the file format to real-world uses of event logs, such as long running logs with hundreds of megabytes of data, and system independent template resolution.
"

Unless someone refactors this fully I am unsure if it will ever support the newer evtx format.