What’s so useful about ETL (ETW)?
One of the most useful (.etl) log files is: WMI-Activity/Trace. It is an Event Tracing for Windows (ETW) log which gets written to a ‘.etl’ file. The information inside of this log can be extremely useful to anyone wishing to monitor WMI, as it logs each query, new class, consumer, etc. We touched on this in our recent talk at Bloomcon (https://youtu.be/H3t_kHQG1Js?t=99)
Note: monitor this blog for a future post just about WMI events.
What’s the problem?
Unfortunately, WEF (Windows Event Forwarding) and many other event forwarding solutions cannot subscribe directly to ‘.etl’ files..). However, the ‘.etl’ file can be read and converted into a channel that WEF can subscribe to. To help facilitate this, I wrote a PowerShell script, and it is available on github (https://github.com/acalarch/ETL-to-EVTX). Use at your own risk 😅!
In summary, the script will query whatever (.etl) file you give it every 15 seconds and write those events to a new channel. Actually, it can do this for any (.etl) file! You just have to configure it to do so.
To prepare your etl file for the script, all you have to do is change some of the channel options. Getting an error in Windows Event Viewer is normal after you make these changes. It doesn't like displaying ETL with "overwrite events as needed".
Settings for the ETL file/channel.
My solution is kind of a poor-man’s solution to this problem. Here are some more:
- Microsoft released an ETW wrapper:
- Fireeye Released a WMI Monitor that writes to a regular EVTX:
- Vendor Specific
- Some event forwarders are capable of handling ETL files,
check with your vendor!
- Some event forwarders are capable of handling ETL files, check with your vendor!
You can read more about ETW here:
You can read a whole lot more about WEF and Windows Events by reading our slide deck or watching our talk: