Loading Windows Event Logs to Elasticsearch

So whilst playing through an element of Kringlecon 2019 I came across a task which didn’t really suit my Christmas challenge of going to Linux full-time. One such challenge involved a Windows Event Log file with no ready access to a Linux derivitive of Event Viewer.

My Kali laptop for my Christmas challenge was already configured with my basic toolsets (on top of Kali itself).

For example, I had already deployed TheHive, Cortex, Splunk and Elasticsearch. Unfortunately Splunk didn’t like the EVTX files I tried to throw at them, instead throwing garble into the fields making extraction almost impossible.

Enter EVTXTOELK, a python library designed to stream EVTX files to ELK without additional steps in the process.

Dragos originally wrote the module for a threat hunt in a access limited environment, and then released it to the world.

So for this element of the challenge I now only needed to install the module through pip, then load the data through python3 command line:

python3 -m pip install evtxtoelk

from evtxtoelk import EvtxToElk
EvtxToElk.evtx_to_elk(“eventlog.evtx”,”http://localhost:9200″)

This will import the EVTX into an index called hostlog, from which analysis can be done on the imported data.

Huzzah!

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *