We want to be able to look quickly look through windows logs to see folder permission changes. We've turned on logging where the logs goto a user directory, but they are all "evtx" logs. We can see everything if we use MS Eventviewer, but there are so many, doing a quick search on them for a user, etc. is just about impossible. Since its in the evtx format, I don't seem to be able to text greps on the data.
Does anyone else have this same problem and tackled it with someone besides a SIEM?
Is there a way to simply have the logs sent over in XML verse evtx ? And only with the File/Folder Permission changes instead of every read/write event to them ?