Situation: I have windows event logs (security.evtx) saved from external systems that are not connected (and never connected) to the computer I am performing log analysis with.
Background: Windows event log has different components that are needed to get a complete picture of what happened where and with whom. The evtx file is a BXML (binary XML). It holds SID information which is resolved on the host. It also points to a registry file that has the description of the events which is specific for each host (as far as I can tell). There is also catagory information stored in a separate registry entry, but I didn't really care to investigate this fully as the SID and description had priority. Simply copying a log file from one computer to another will leave off the event catagory name and the description which has the useful information in it. MS has posted how to archive a log file with display information for troubleshooting on another system and I have tried this step. It saves off the log file and creates a folder with a respectively named file called localmetadata.mta in it. The metadata is human readable.
Problem: MS doesn't seem to tell you what to do with the archived log and metadata. I tried opening the evtx with event viewer with the metadata in the folder next to the file and the data is not used. I don't know where to use the metadata to have a complete reconstruction of the log file. I have searched online through plenty of different search critieria and the few sites that post about this only report that it is a problem. No one seems to have a solution. I am close to searching for a forensic tool as I think this may be the only option.
If anyone has any ideas here, I am open to all suggestions. If you have a solution in place to view logs from a non-connected system, please let me know.
Thanks!
Kenison