The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Network Storage Protocols Articles and Resources

Tool to convert Audit Logs from XML to EVTX Format



Clustered Data ONTAP supports file auditing through Native auditing framework. Native auditing supports file access auditing in both CIFS and NFS one can find more information in the blog. This framework generates audit events similar to Windows Event logging framework and generates logs as plain XML text. In Windows EVTX is the default logging format from Vista and W2k8 onwards. Windows allows viewing and analyzing logs through Microsoft Windows Event Viewer if the logs are in EVTX format. To overcome this limitation NetApp provides an off-box, windows compatible, tool that converts the plain text XML log file into EVTX file.

The tool can be downloaded from NetApp Support site. Users can freely download the tool using support user ID and credentials. The conversion is on best effort basis and NetApp doesn't assure accuracy or completeness of the solution. Support to the tool is only through the CIFS/SMB community; start discussion in the community for clarifications or support.

Installation Requirements

These requirements need to be take care before the Installation

Supported platforms

Operating System:                    Windows Vista and above

Windows Server:                       Windows server 2008 and above
Prerequisite for installation

Microsoft .Net Framework:        V3.5 and above

After downloading the Setup file and meeting the Installation requirements initiate the installation by double clicking on the installable.  Default the tool NetApp EVTX Converter will be installed under NetApp\EVTX Converter folder but can be changed during the setup.

The installation will install both the GUI as well as Command Line tools

Executing the Tool

Input File in plain text XML format can be converted to binary EVTX file either using the GUI or the command line interface.

Converting using GUI interface

GUI is highly intuitive and simple to use. It takes single file input in Input file and converts that into an EVTX file at a location specified in Output File.

button will help to browse to the input or Output file location. The location can be either local or remote. Conversion process is triggered when Convert button is clicked. Progress bar will display that conversion process is in-place. Conversion time depends on the log file size and on the file location.

Converting using CLI interface

This is useful if you want to script the conversion activity. The executable is evtx_win. The command has a help (-h) option that explains how to use the command

After the conversion it will show number of events converted and conversion status: success or failure

Viewing the EVTX file

EVTX files can be viewed using the Microsoft Windows Event Viewer. EVTX format is supported in Windows Vista/Windows server 2008 and above. You can view the logs by opening it as a file in the Event Viewer

Currently viewing the log information in the general-tab is partially supported. We are working on providing additional libraries (dlls) that will help overcome the limitation

Solution considerations

  • The tool is tested with large XML log files (~200MB) and has worked seamlessly.
  • The output directory should have write permissions.
  • The output directory should have enough free space: twice the size of input file. This is necessary because the application creates a temporary xml file in the output directory and deletes it after the conversion.
  • When multiple instances of the tool are running, the destination/target directory of each instance should be kept different.
  • If the EVTX file is already opened by Event Viewer conversion process should not be started with the opened file as Output File

Please Note:

All content posted on the NetApp Community is publicly searchable and viewable. Participation in the NetApp Community is voluntary.

In accordance with our Code of Conduct and Community Terms of Use, DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information (PII)
  • Copyrighted materials without the permission of the copyright owner

Continued non-compliance may result in NetApp Community account restrictions or termination.