Getting Data In

How to index .evt(x) files exported from a Windows system for Forensics/Root Cause Analysis/Incident Response etc when the system is no longer operational?

marycordova
SplunkTrust
SplunkTrust

Problem statement: Windows .evt(x) files need to be indexed but the system the files originated from is no longer operational and the normal methods for gathering Windows event logs will not work; Universal Forwarder, WEF, etc

@marycordova
0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

Solution: custom app incident_response

  1. Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
  2. custom app with bin, local, and metadata directories and a README file
  3. batch script to covert files from .evt(x) to .txt
  4. input to ingest and index .txt files
  5. props for event breaking, field extraction, etc

Directories structure:

$SPLUNK_HOME/etc/apps/incident_response/ 
README.txt 
/bin/convevt.bat 
/local/app.conf 
/local/inputs.conf 
/local/props.conf 
/metadata/local.meta    

convevt.bat (pardon my windows...I'm better in *nix!):

REM declare directory to event logs without trailing "\" 
REM set evtlogs="D:\directory\to\logs" 

set evtlogs="D:\ticket-123456\Logs" 

forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"

app.conf:

[install] 
state = enabled

inputs.conf:

# declare directory to event logs in "incident_response\bin\convevt.bat" 
# enable script input 
[script://.\bin\convevt.bat] 
index = main 
sourcetype = script:output 
interval = -1 
#disabled = 0 
disabled = 1 

# declare directory to event logs with trailing "\*.txt" 
# declare hostname 
#[monitor://D:\directory\to\logs\*.txt] 
[monitor://D:\ticket-123456\Logs\*.txt] 
index = incident 
sourcetype = wevtutil:txt 
host = hostname 
disabled = 0 

# resart splunk 
# after first run disable script input and restart splunk

props.conf:

[wevtutil:txt] 
ANNOTATE_PUNCT = false 
LINE_BREAKER = (Event\[\d+\]\:) 
SHOULD_LINEMERGE = false 
ADD_EXTRA_TIME_FIELDS = false 
TIME_PREFIX = Date\:\s+ 
MAX_DAYS_AGO = 10951 
KV_MODE = none 
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+) 
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+) 
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+) 
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+) 
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+) 
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+) 
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+) 

################################ 
###ADD CUSTOM EXRACTIONS HERE### 
################################ 

#EXTRACT-wevtutil_# = regex

local.meta:

[] 
access = read : [ * ], write : [ admin ] 
export = system

README.txt:

1 - declare directory to event logs in "bin\convevt.bat" 
2 - enable script input in "local\inputs.conf" 
3 - declare directory to event logs in "local\inputs.conf" 
4 - declare hostname in "local\inputs.conf" 
5 - restart splunk 
6 - after first run disable script input and restart splunk
@marycordova

View solution in original post

0 Karma

marycordova
SplunkTrust
SplunkTrust

Solution: custom app incident_response

  1. Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
  2. custom app with bin, local, and metadata directories and a README file
  3. batch script to covert files from .evt(x) to .txt
  4. input to ingest and index .txt files
  5. props for event breaking, field extraction, etc

Directories structure:

$SPLUNK_HOME/etc/apps/incident_response/ 
README.txt 
/bin/convevt.bat 
/local/app.conf 
/local/inputs.conf 
/local/props.conf 
/metadata/local.meta    

convevt.bat (pardon my windows...I'm better in *nix!):

REM declare directory to event logs without trailing "\" 
REM set evtlogs="D:\directory\to\logs" 

set evtlogs="D:\ticket-123456\Logs" 

forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"

app.conf:

[install] 
state = enabled

inputs.conf:

# declare directory to event logs in "incident_response\bin\convevt.bat" 
# enable script input 
[script://.\bin\convevt.bat] 
index = main 
sourcetype = script:output 
interval = -1 
#disabled = 0 
disabled = 1 

# declare directory to event logs with trailing "\*.txt" 
# declare hostname 
#[monitor://D:\directory\to\logs\*.txt] 
[monitor://D:\ticket-123456\Logs\*.txt] 
index = incident 
sourcetype = wevtutil:txt 
host = hostname 
disabled = 0 

# resart splunk 
# after first run disable script input and restart splunk

props.conf:

[wevtutil:txt] 
ANNOTATE_PUNCT = false 
LINE_BREAKER = (Event\[\d+\]\:) 
SHOULD_LINEMERGE = false 
ADD_EXTRA_TIME_FIELDS = false 
TIME_PREFIX = Date\:\s+ 
MAX_DAYS_AGO = 10951 
KV_MODE = none 
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+) 
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+) 
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+) 
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+) 
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+) 
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+) 
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+) 

################################ 
###ADD CUSTOM EXRACTIONS HERE### 
################################ 

#EXTRACT-wevtutil_# = regex

local.meta:

[] 
access = read : [ * ], write : [ admin ] 
export = system

README.txt:

1 - declare directory to event logs in "bin\convevt.bat" 
2 - enable script input in "local\inputs.conf" 
3 - declare directory to event logs in "local\inputs.conf" 
4 - declare hostname in "local\inputs.conf" 
5 - restart splunk 
6 - after first run disable script input and restart splunk
@marycordova
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...