Loading Windows Event Logs to Elasticsearch

So whilst playing through an element of Kringlecon 2019 I came across a task which didn’t really suit my Christmas challenge of going to Linux full-time. One such challenge involved a Windows Event Log file with no ready access to a Linux derivitive of Event Viewer.

My Kali laptop for my Christmas challenge was already configured with my basic toolsets (on top of Kali itself).

For example, I had already deployed TheHive, Cortex, Splunk and Elasticsearch. Unfortunately Splunk didn’t like the EVTX files I tried to throw at them, instead throwing garble into the fields making extraction almost impossible.

Enter EVTXTOELK, a python library designed to stream EVTX files to ELK without additional steps in the process.

Dragos originally wrote the module for a threat hunt in a access limited environment, and then released it to the world.

So for this element of the challenge I now only needed to install the module through pip, then load the data through python3 command line:

python3 -m pip install evtxtoelk

from evtxtoelk import EvtxToElk

This will import the EVTX into an index called hostlog, from which analysis can be done on the imported data.


Categories: Security Operations, Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: