Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
When investigating malware attacks on a computer it is often necessary to look at the Windows Event logs, this could be to understand:
As well as many other useful bits of evidence.
Windows includes a large selection of event logs, only some of which are typically used in a malware investigation. As going through separate logs can be time consuming, to help with this Sophos have created a 'custom view' which can be imported onto the victims machine and used to collect the relevant logs, grouping them into one large log (AttackLogs.evtx) with everything in time/date order.
The custom view which is can be imported is called AttackLogs_full.XML, the logs can then be saved as AttackLogs.EVTX. Below is a list of the event logs that are collected:
All logs located in: C:\Windows\System32\winevt\Logs\
The following sections are covered:
To collect the AttackLogs.EVTX file from the victims machines please follow the instructions below.
1. Login to the victims machine.
2. Download AttackLogs (v1.3).zip and extract the contents.
3. Open Windows Event Viewer by selecting: Start > Run > eventvwr.
4. Click on Import Custom View and select the extracted AttackLogs_full.XML file.
NOTE: If you receive an error like the ones pictured below, please import the "AttackLogs_partial.xml" file instead.
5. After importing the XML file, select AttackLogs in the Custom View folder, if (!) New events available is displayed, please press F5 to ensure all the logs in the Custom View have been populated successfully.
6. Right click AttackLogs and select Save All Events in Custom View As..
7. Save the file as AttackLogs.EVTX
8. Right Click on the saved AttackLogs.EVTX File and select Send to > Compressed File.
9. Please send the compressed (.zip) file to Sophos Technical Support.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.