EVTX Windows logs to ES

cyberzlo · April 21, 2020, 8:39am

Hi, what is most easy way to load static EVTX files to ES for forensics pourposes? Is there maybe some done setup for that? I just have dir with subdirectories for each system and in this subdirectories are evtx logs. Just want parse it and load to ES. Somehow I need distinguish logs between systems (are in different folders but EVTX file names are same for each system). Is it possible to automatic upload it with subdirectories?

cyberzlo · April 21, 2020, 9:10am

I found this https://www.elastic.co/guide/en/beats/winlogbeat/current/reading-from-evtx.html

Looks like - name: is designed to Windows log name, how should look this parameter for filename?

It is possible to upload logs from a lot of systems when logs are in different subdirectories for each system?

Eventually if there is no better way, I can do bash script in Linux subsystem to generate this lines with - name: but can you help me find best solution? Should I somehow use for example tags for distinguish each system etc? How should look example config?

andrewkroh · April 21, 2020, 12:09pm

If you need to do a batch load then I think scripting would be the way to go. Have a PowerShell script traverse the dirs and for each .evtx file found use the method described in the link above to invoke Winlogbeat to read the file.

The ingested events will include the full evtx file path and the logs themselves contain the original computer name from which they were sourced.

cyberzlo · April 21, 2020, 1:18pm

So config should looks like:

winlogbeat.event_logs:
  - name: C:\evtx\file1.evtx
    no_more_events: stop 
  - name: C:\evtx\file2.evtx
    no_more_events: stop 
  - name: C:\evtx\file3.evtx
    no_more_events: stop 

winlogbeat.shutdown_timeout: 30s 
winlogbeat.registry_file: evtx-registry.yml 

output.elasticsearch.hosts: ['http://localhost:9200']

yes? or - name: 'C:\evtx\file1.evtx'?

BTW, elasticsearch don't need to be on Windows, because it will be parsed by winlogbeat?

andrewkroh · April 23, 2020, 10:28pm

I would have the config setup to read one file at a time like shown in the docs.

Then make a wrapper script set EVTX_FILE each time it invokes Winlogbeat to read a new file. Then the script does something like this psuedo-code.

// foreach evtx_file in /my/dir/**/*.evtx
// do .\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=$evtx_file

And correct, only Winlogbeat needs to be on Windows.

system · May 21, 2020, 10:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.