Metadata-Version: 2.4
Name: evtxparser
Version: 0.1.0
Summary: Fast streaming EVTX to CSV exporter
Author: Samuel Matildes
License: Apache License
        Version 2.0, January 2004
        http://www.apache.org/licenses/
        
        TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
        
        1. Definitions.
        
        "License" shall mean the terms and conditions for use, reproduction, and
        distribution as defined by Sections 1 through 9 of this document.
        
        "Licensor" shall mean the copyright owner or entity authorized by the copyright
        owner that is granting the License.
        
        "Legal Entity" shall mean the union of the acting entity and all other entities
        that control, are controlled by, or are under common control with that entity.
        For the purposes of this definition, "control" means (i) the power, direct or
        indirect, to cause the direction or management of such entity, whether by
        contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
        outstanding shares, or (iii) beneficial ownership of such entity.
        
        "You" (or "Your") shall mean an individual or Legal Entity exercising
        permissions granted by this License.
        
        "Source" form shall mean the preferred form for making modifications, including
        but not limited to software source code, documentation source, and configuration
        files.
        
        "Object" form shall mean any form resulting from mechanical transformation or
        translation of a Source form, including but not limited to compiled object code,
        generated documentation, and conversions to other media types.
        
        "Work" shall mean the work of authorship, whether in Source or Object form, made
        available under the License, as indicated by a copyright notice that is
        included in or attached to the work (an example is provided in the Appendix
        below).
        
        "Derivative Works" shall mean any work, whether in Source or Object form, that
        is based on (or derived from) the Work and for which the editorial revisions,
        annotations, elaborations, or other modifications represent, as a whole, an
        original work of authorship. For the purposes of this License, Derivative Works
        shall not include works that remain separable from, or merely link (or bind by
        name) to the interfaces of, the Work and Derivative Works thereof.
        
        "Contribution" shall mean any work of authorship, including the original version
        of the Work and any modifications or additions to that Work or Derivative Works
        thereof, that is intentionally submitted to Licensor for inclusion in the Work
        by the copyright owner or by an individual or Legal Entity authorized to submit
        on behalf of the copyright owner. For the purposes of this definition,
        "submitted" means any form of electronic, verbal, or written communication sent
        to the Licensor or its representatives, including but not limited to
        communication on electronic mailing lists, source code control systems, and
        issue tracking systems that are managed by, or on behalf of, the Licensor for
        the purpose of discussing and improving the Work, but excluding communication
        that is conspicuously marked or otherwise designated in writing by the copyright
        owner as "Not a Contribution."
        
        "Contributor" shall mean Licensor and any individual or Legal Entity on behalf
        of whom a Contribution has been received by Licensor and subsequently
        incorporated within the Work.
        
        2. Grant of Copyright License. Subject to the terms and conditions of this
        License, each Contributor hereby grants to You a perpetual, worldwide,
        non-exclusive, no-charge, royalty-free, irrevocable copyright license to
        reproduce, prepare Derivative Works of, publicly display, publicly perform,
        sublicense, and distribute the Work and such Derivative Works in Source or
        Object form.
        
        3. Grant of Patent License. Subject to the terms and conditions of this License,
        each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
        no-charge, royalty-free, irrevocable (except as stated in this section) patent
        license to make, have made, use, offer to sell, sell, import, and otherwise
        transfer the Work, where such license applies only to those patent claims
        licensable by such Contributor that are necessarily infringed by their
        Contribution(s) alone or by combination of their Contribution(s) with the Work
        to which such Contribution(s) was submitted. If You institute patent litigation
        against any entity (including a cross-claim or counterclaim in a lawsuit)
        alleging that the Work or a Contribution incorporated within the Work
        constitutes direct or contributory patent infringement, then any patent licenses
        granted to You under this License for that Work shall terminate as of the date
        such litigation is filed.
        
        4. Redistribution. You may reproduce and distribute copies of the Work or
        Derivative Works thereof in any medium, with or without modifications, and in
        Source or Object form, provided that You meet the following conditions:
        
        (a) You must give any other recipients of the Work or Derivative Works a copy of
        this License; and
        
        (b) You must cause any modified files to carry prominent notices stating that
        You changed the files; and
        
        (c) You must retain, in the Source form of any Derivative Works that You
        distribute, all copyright, patent, trademark, and attribution notices from the
        Source form of the Work, excluding those notices that do not pertain to any part
        of the Derivative Works; and
        
        (d) If the Work includes a "NOTICE" text file as part of its distribution, then
        any Derivative Works that You distribute must include a readable copy of the
        attribution notices contained within such NOTICE file, excluding those notices
        that do not pertain to any part of the Derivative Works, in at least one of the
        following places: within a NOTICE text file distributed as part of the
        Derivative Works; within the Source form or documentation, if provided along
        with the Derivative Works; or, within a display generated by the Derivative
        Works, if and wherever such third-party notices normally appear. The contents of
        the NOTICE file are for informational purposes only and do not modify the
        License. You may add Your own attribution notices within Derivative Works that
        You distribute, alongside or as an addendum to the NOTICE text from the Work,
        provided that such additional attribution notices cannot be construed as
        modifying the License.
        
        You may add Your own copyright statement to Your modifications and may provide
        additional or different license terms and conditions for use, reproduction, or
        distribution of Your modifications, or for any such Derivative Works as a whole,
        provided Your use, reproduction, and distribution of the Work otherwise complies
        with the conditions stated in this License.
        
        5. Submission of Contributions. Unless You explicitly state otherwise, any
        Contribution intentionally submitted for inclusion in the Work by You to the
        Licensor shall be under the terms and conditions of this License, without any
        additional terms or conditions. Notwithstanding the above, nothing herein shall
        supersede or modify the terms of any separate license agreement you may have
        executed with Licensor regarding such Contributions.
        
        6. Trademarks. This License does not grant permission to use the trade names,
        trademarks, service marks, or product names of the Licensor, except as required
        for reasonable and customary use in describing the origin of the Work and
        reproducing the content of the NOTICE file.
        
        7. Disclaimer of Warranty. Unless required by applicable law or agreed to in
        writing, Licensor provides the Work (and each Contributor provides its
        Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
        KIND, either express or implied, including, without limitation, any warranties
        or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
        PARTICULAR PURPOSE. You are solely responsible for determining the
        appropriateness of using or redistributing the Work and assume any risks
        associated with Your exercise of permissions under this License.
        
        8. Limitation of Liability. In no event and under no legal theory, whether in
        tor t (including negligence), contract, or otherwise, unless required by
        applicable law (such as deliberate and grossly negligent acts) or agreed to in
        writing, shall any Contributor be liable to You for damages, including any
        direct, indirect, special, incidental, or consequential damages of any
        character arising as a result of this License or out of the use or inability to
        use the Work (including but not limited to damages for loss of goodwill, work
        stoppage, computer failure or malfunction, or any and all other commercial
        damages or losses), even if such Contributor has been advised of the
        possibility of such damages.
        
        9. Accepting Warranty or Additional Liability. While redistributing the Work or
        Derivative Works thereof, You may choose to offer, and charge a fee for,
        acceptance of support, warranty, indemnity, or other liability obligations
        and/or rights consistent with this License. However, in accepting such
        obligations, You may act only on Your own behalf and on Your sole
        responsibility, not on behalf of any other Contributor, and only if You agree
        to indemnify, defend, and hold each Contributor harmless for any liability
        incurred by, or claims asserted against, such Contributor by reason of Your
        accepting any such warranty or additional liability.
        
        END OF TERMS AND CONDITIONS
License-File: LICENSE
Keywords: cli,csv,evtx,forensics,windows-event-log
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Utilities
Requires-Python: >=3.10
Requires-Dist: python-evtx>=0.8.1
Requires-Dist: rich>=13.9.0
Provides-Extra: dev
Requires-Dist: build>=1.2.2; extra == 'dev'
Requires-Dist: pytest>=8.3.0; extra == 'dev'
Requires-Dist: ruff>=0.11.0; extra == 'dev'
Provides-Extra: speedups
Requires-Dist: orjson>=3.10.0; extra == 'speedups'
Description-Content-Type: text/markdown

# evtxparser

`evtxparser` is a focused Python CLI that turns `.evtx` files into CSV with a streaming, low-overhead pipeline. No GUI, no schema discovery pass, no giant in-memory objects: open the log, walk the records once, write rows.

## Goals

- **Fast by default**: stream records directly from the EVTX file to CSV.
- **Simple output**: stable columns for common system fields plus compact payload columns.
- **Publishable package**: `pyproject.toml`, console entry point, tests, CI, and PyPI-ready metadata.

## Installation

```bash
pip install evtxparser
```

For optional parser and JSON speedups:

```bash
pip install "evtxparser[speedups]"
```

## Usage

Export one file to stdout:

```bash
evtxparser Security.evtx
```

Export one file to disk:

```bash
evtxparser Security.evtx --output security.csv
```

Export a directory of logs:

```bash
evtxparser /mnt/logs --recursive --output logs.csv
```

Force a live progress bar on stderr while exporting:

```bash
evtxparser Security.evtx --output security.csv --progress
```

Use multiple CPU cores for a big export:

```bash
evtxparser Security.evtx --output security.csv --workers 8
```

Keep the raw XML in the final CSV column for maximum fidelity:

```bash
evtxparser Security.evtx --include-xml --output security.csv
```

## Output schema

| Column | Description |
| --- | --- |
| `source_file` | Input EVTX path used for the row |
| `record_number` | EVTX record number |
| `timestamp` | Record FILETIME converted to ISO-8601 |
| `event_id` | Windows event ID |
| `event_qualifiers` | Optional event qualifiers from `<EventID Qualifiers="...">` |
| `event_version` | Event version |
| `event_level` | Event level |
| `event_task` | Event task |
| `event_opcode` | Event opcode |
| `event_keywords` | Event keywords |
| `channel` | Event log channel |
| `provider_name` | Provider name |
| `provider_guid` | Provider GUID |
| `computer` | Computer name |
| `user_id` | SID from the `Security` node |
| `process_id` | Process ID from `Execution` |
| `thread_id` | Thread ID from `Execution` |
| `activity_id` | Correlation activity ID |
| `related_activity_id` | Correlation related activity ID |
| `event_data` | Compact JSON array for ordered `EventData` items |
| `user_data` | Compact XML for `UserData` payloads |
| `raw_xml` | Included only when `--include-xml` is set |

`event_data` is intentionally stored as an ordered JSON array instead of a flattened CSV explosion. That preserves duplicate keys, unnamed fields, and original ordering without a costly pre-scan.

## Why this layout is fast

1. `python-evtx` memory-maps the source file.
2. Records are processed one at a time and written immediately.
3. The CSV header is fixed, so there is no schema inference pass.
4. The hot path extracts fields directly from the rendered record XML instead of building a second XML tree.
5. Event-specific payloads stay compact in two columns instead of forcing dynamic columns.

## Progress display

When stderr is interactive, `evtxparser` shows a live progress bar automatically. It writes progress to stderr, so CSV output stays clean on stdout.

- `--progress`: always show the progress bar
- `--no-progress`: disable the progress bar

## Parallel export

`evtxparser` can use multiple **processes** to go faster on large exports.

- `--workers 0`: auto-select based on CPU count and available EVTX chunks
- `--workers 1`: single-process mode
- `--workers N`: use exactly `N` worker processes, capped by available work

The parallel path preserves CSV row order. It uses worker **processes**, not threads, because the EVTX parsing hot path is pure Python and benefits more from escaping the GIL.

## Development

Create a virtual environment, then install the package with dev tools:

```bash
python -m pip install -e ".[dev,speedups]"
```

Run tests:

```bash
pytest
```

Build distributions:

```bash
python -m build
```

## Publishing

The package metadata is defined in `pyproject.toml`, and the repository includes GitHub Actions workflows for CI and PyPI publishing. Once the repository exists and trusted publishing is configured on PyPI, a GitHub release can publish the package without changing the project layout.
