⚠️ This is a triage tool, not a full forensic suite.It helps quickly understand what happened before deep forensic analysis. Designed for analysts, sysadmins and incident responders who need fast clarity from Windows Security logs.
Windows Security Event Log (EVTX) triage tool
LogWatch-TR helps answer the first DFIR question:
“What actually happened on this machine?”
It does not replace a SIEM.
It accelerates the first investigation stage.
Windows Security logs are extremely noisy.
Most investigations fail because: every logon event is treated as human activity.
In reality:
- services log in
- scheduled tasks log in
- system accounts log in
LogWatch-TR introduces actor classification and isolates real user behavior.
The tool analyzes .evtx files and correlates authentication events:
- Failed logins — Event ID 4625
- Successful logons — Event ID 4624
- Night logins (00:00–06:00)
- RDP logins (Logon Type 10)
- New account creation — Event ID 4720
- Privileged logon — Event ID 4672
- Audit log clearing — Event ID 1102
- Privilege escalation correlation (4624 → 4672)
System/service noise is filtered automatically.
The tool produces a readable HTML timeline report categorized as:
- 🔴 Critical
- 🟡 Suspicious
- 🟢 Normal
You can review incidents without opening Event Viewer.
➡️ Latest Windows build
https://github.com/redzeptech/logwatch-tr/releases/latest
No installation required.
- Extract the zip
- Export a
Security.evtxfile from Event Viewer - Put it next to the executable
- Run:
LogWatch-TR.exe Security.evtx
## Why I built this
During real incident investigations, I repeatedly saw analysts lose hours inside raw Event Viewer logs.
This tool was created to shorten that first step:
understanding human activity quickly and reliably.