LogonTracer v1.4 Released

JPCERT/CC released a new version of LogonTracer, a tool to support event log analysis.


This article introduces some of the new features of the tool.

Dark mode

Dark mode has been added to LogonTracer in this update, which appears on the menu bar. Figure 1 shows the LogonTracer screen when the dark mode is on.

Figure 1: LogonTracer (dark mode)

Please note that each colour represents the following item under the dark mode:

  • Red: Admin account
  • Blue: Normal user account
  • Green: Host/IP address

Add event logs

In order to add event logs to analyse, previously users needed to upload new logs together with the old logs that had been already uploaded. To save time, a new function to allow adding log files has been implemented in this release.
Figure 2 shows the screen to upload additional event logs.

Uploading event log in LogonTracer
Figure 2: Uploading event log in LogonTracer

By enabling “Add additional EVTX or XML files”, new event logs can be uploaded. You can also do this on the command line by using the “--add” option.

Future updates

In the next release, we are going to add a function to import logs from Elasticsearch to enable real-time analysis. We will continue updating the tool and appreciate feedback and Pull Requests from users.

Shusei Tomonaga
(Translated by Yukako Uchida)