Normalizing imported .evtx files with Splunk Windows Add-on

Erad — Mon, 18 Jan 2021 21:21:21 GMT

Greetings all,

I'm in a situation where I would like do "offline" Windows event logs analysis, and I need to be able to ingest raw evtx files.

Here is my setup:

Deployed a Windows Splunk instance on a single VM,
Installed and configured the Splunk Add-on for Microsoft Windows TA.

I'm ingesting the files I need with a "monitor" stanza in the Windows app's inputs.conf:

[monitor://C:\imported_data\evtx]
disabled = 0
sourcetype = preprocess-winevt
crcSalt = <SOURCE>
index = imported-evtx

Now, the logs are ingested and parsed and it's already a start (I get proper sourcetypes and everything). However, they do not go through the Windows' app normalizing process, e.g. events don't get populated with the "EventID" field, user names are not parsed into SubjectUserName and TargetUserName fields, things like that.

Is there a way of making those imported logs properly handled by the TA?

Note: if I try and ingest my local VM's logs with a [WinEventLog://Security] stanza, they are successfully normalized by the app.

Cheers,

Erad

Re: Normalizing imported .evtx files with Splunk Windows Add-on

human96 — Tue, 08 Mar 2022 08:04:13 GMT

Windows Event Log (.evt) and Windows Event Log XML (.evtx) files that you exported from another Windows machine don't work.

https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Uploaddata

the better way would be-
1. convert your evtx files to csv

using logparser ( by Microsoft )

$logparser = "c:\program files (x86)\Log Parser 2.2\logparser.exe"
$query = "SELECT * INTO c:\logs\logs.csv FROM c:\logs\logs.evtx"

& $logparser -i:evt -o:csv $query

2. forward those converted csv file directly to splunk.

topic Normalizing imported .evtx files with Splunk Windows Add-on in Getting Data In

Normalizing imported .evtx files with Splunk Windows Add-on

Re: Normalizing imported .evtx files with Splunk Windows Add-on