Glossary
Plain-language definitions of SEO terms used across the blog.
- BinXML
- Binary-encoded XML — the on-disk serialisation used for both templates and substitution values.
- Channel
- A logical event stream.
- Chunk
- A 64 KB block inside an .evtx file.
- EventData
- The XML child element in each rendered record that holds the provider-specific parameters: TargetUserName on a 4624, ImagePath on a 7045, CommandLine on a Sysmon 1.
- EVTX
- The binary Windows Event Log format introduced with Windows Vista (2007), replacing the older flat-record .evt format.
- Level
- Numeric severity: 1 Critical, 2 Error, 3 Warning, 4 Information, 5 Verbose.
- LogonId
- A 64-bit identifier Windows assigns to each logon session.
- LogonType
- EventData field on logon records (4624/4625) identifying how the session was established.
- Provider
- The component that emits records into a channel — identified by name (e.g.
- RecordID
- Monotonically-increasing per-channel record number, assigned by the EventLog service at write time.
- ScriptBlock logging
- PowerShell feature that records the full text of every script that runs — interactive commands, scripts from disk, and bodies reflected into memory by Invoke-Expression.
- SID
- Security Identifier — the unique identifier Windows assigns to every security principal (user, group, computer).
- Sysmon
- System Monitor — a free Sysinternals/Microsoft tool that augments the event log with telemetry the base OS doesn't capture in usable form: full process command lines (event 1), network connections …
- System block
- The XML sibling of EventData that carries generic metadata: provider name/GUID, channel, Event ID, level, timestamp (TimeCreated SystemTime), the computer name, and the record's RecordID and EventR…
- Template
- A skeleton XML document with substitution placeholders.
- WEF
- Windows Event Forwarding — the built-in mechanism for shipping subscribed channels to a central collector over WinRM.