search

dgunter / evtxtoelk

A lightweight tool to load Windows Event Log evtx files into Elasticsearch.
MIT License
115 stars 27 forks source link

Added option to export as JSON file, split method to parse evtx lines #4

Open okynos opened 4 years ago

okynos commented 4 years ago

Hello!,

I have added to evtxtoelk.py script the option to write the output to a .json file, this allows to ingest such events by any logcollector software that supports JSON, e.g. Wazuh.

I have tested all included or modified methods with ELK 7.9.1 (All seems to work as expected). Some examples: Event from security event channel in JSON format (from output file)

{"Event": {"@xmlns": "http://schemas.microsoft.com/win/2004/08/events/event", "System": {"Provider": {"@Name": "Microsoft-Windows-Security-Auditing", "@Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}"}, "EventID": {"@Qualifiers": "", "#text": "4798"}, "Version": "0", "Level": "0", "Task": "13824", "Opcode": "0", "Keywords": "0x8020000000000000", "TimeCreated": {"@SystemTime": "2020-11-06T11:30:22.746094"}, "EventRecordID": "6184", "Correlation": {"@ActivityID": "{6dcbcce3-b2a9-0000-2ece-cb6da9b2d601}", "@RelatedActivityID": ""}, "Execution": {"@ProcessID": "604", "@ThreadID": "5308"}, "Channel": "Security", "Computer": "DESKTOP-XXXXXXX", "Security": {"@UserID": ""}}, "EventData": {"Data": {"TargetUserName": "test", "TargetDomainName": "DESKTOP-XXXXXXX", "TargetSid": "S-1-5-21-390896367-1170454209-2448961607-1001", "SubjectUserSid": "S-1-5-21-390896367-1170454209-2448961607-1001", "SubjectUserName": "test", "SubjectDomainName": "DESKTOP-XXXXXXX", "SubjectLogonId": "0x000000000008a1e5", "CallerProcessId": "0x0000000000000f60", "CallerProcessName": "C:\\Windows\\explorer.exe"}}}, "@timestamp": "2020-11-06T11:30:22.746094"}

I tried to modify the options less than possible so I changed ELK IP parameter to output that let the user introduce the combination of IP:PORT option or JSON filename (finished in .json) to select output method. Execution example: To JSON file:

python .\evtxtoelk.py .\security.evtx security.json
6184 events exported to security.json

To ELK:

python .\evtxtoelk.py .\security.evtx 192.168.2.10
Bulking final set of records to ES: 1
.
.
.

Kibana discover example image

I have also added a debug option to see the processed events in the JSON output. I hope it will help to solve some data ingestion related issues.

Regards!.

sonarcloud[bot] commented 3 years ago

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information