in ,

WELA – Windows Event Log Analyzer

Yamato Security’s WELA(Windows Event Log Analyzer) aims to be the Swiss Army knife for Windows event logs. Currently, WELA’s greatest functionality is creating an easy-to-analyze logon timeline in order to aid in fast forensics and incident response. WELA’s logon timeline generator will consolidate only the useful information in multiple logon log entries (4624, 4634, 4647, 4672, 4776) into single events, perform data reduction by ignoring around 90% of the noise, and will convert any hard to read data (such as hex status codes) into human-readable format.

Tested on Windows Powershell 5.1 but may work with previous versions. It will unfortunately NOT work with Powershell Core as there is no built-in functionality to read Windows event logs.


  • Written in PowerShell so is easy to read and customize.
  • Fast Forensics Logon Timeline Generator
    • Detect lateral movement, system usage, suspicious logons, vulnerable protocol usage, etc…
    • 90%+ noise reduction for logon events
    • Calculate Login Elapsed Time
    • GUI analysis
    • Logon Type Summary
  • Live Analysis and Offline Analysis
  • Japanese support
  • Event ID Statistics
  • Output to CSV to analyze in Timeline Explorer, etc…
  • Analyze NTLM usage before disabling NTLM
  • Sigma rules
  • Custom attack detection rules
  • Remote analysis
  • Logon Statistics


At the moment, please use a Windows Powershell 5.1. You will need local Administrator access for live analysis.

    Analysis Source (Specify one):
        -LiveAnalysis : Creates a timeline based on the live host's log
        -LogFile <path-to-logfile> : Creates a timelime from an offline .evtx file
        -LogDirectory <path-to-logfiles> (Warning: not fully implemented.) : Analyze offline .evtx files
        -RemoteLiveAnalysis : Creates a timeline based on the remote host's log

    Analysis Type (Specify one):
        -AnalyzeNTLM_UsageBasic : Returns basic NTLM usage based on the NTLM Operational log
        -AnalyzeNTLM_UsageDetailed : Returns detailed NTLM usage based on the NTLM Operational log
        -EventID_Statistics : Output event ID statistics
        -LogonTimeline : Output a condensed timeline of user logons based on the Security log
        -SecurityAuthenticationSummary : Output a summary of authentication events for each logon type based on the Security log

    Analysis Options:
        -StartTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the start of the timeline
        -EndTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the end of the timeline

    -LogonTimeline Analysis Options:
        -IsDC : Specify if the logs are from a DC

    Output Types (Default: Standard Output):
        -SaveOutput <outputfile-path> : Output results to a text file
        -OutputCSV : Outputs to CSV
        -OutputGUI : Outputs to the Out-GridView GUI

    General Output Options:
        -USDateFormat : Output the dates in MM-DD-YYYY format (Default: YYYY-MM-DD)
        -EuropeDateFormat : Output the dates in DD-MM-YYYY format (Default: YYYY-MM-DD)
        -UTC : Output in UTC time (default is the local timezone)
        -Japanese : Output in Japanese

    -LogonTimeline Output Options:
        -HideTimezone : Hides the timezone
        -ShowLogonID : Show logon IDs

        -ShowContributors : Show the contributors
        -QuietLogo : Do not display the WELA logo


Logon Timeline GUI:


DOWNLOAD WELA (Windows Event Log Analyzer)

What do you think?

Written by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

One Comment

Hayabusa- Windows event log analyzer & threat hunting tool

log4jscanner by Google for Log4j 2 Vulnerability