search

williballenthin / python-evtx

Pure Python parser for Windows Event Log files (.evtx)
Apache License 2.0
719 stars 165 forks source link

json output #47

Closed geekscrapy closed 6 years ago

geekscrapy commented 6 years ago

How would you go about getting json output? Just looking to dump the events to json for easy ingest into logstash

williballenthin commented 6 years ago

I'd probably render to the XML format, and then translate to JSON from there. Under the hood, the EVTX format represents XML, so while there may be ways to pull out a JSON document file structure more directly, working with an EVTX file as if it were XML is a better way to think about it.

Its a little bit annoying that the different EVTX event types have all sorts of different schemas. But, I think you can cover the common cases with a small amount of work. This will definitely be sufficient to get data into logstash.

williballenthin commented 6 years ago

closing this issue due to lack of activity. please re-open if you have further questions!

geekscrapy commented 5 years ago

Leaving this here for future queries. In the end I basically did this:

https://dragos.com/blog/industry-news/evtxtoelk-a-python-module-to-load-windows-event-logs-into-elasticsearch/