Solved: How to index .evt(x) files exported from a Windows...

marycordova · ‎04-18-2019

Problem statement: Windows .evt(x) files need to be indexed but the system the files originated from is no longer operational and the normal methods for gathering Windows event logs will not work; Universal Forwarder, WEF, etc

@marycordova

marycordova · ‎04-18-2019

Solution: custom app incident_response

Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
custom app with bin, local, and metadata directories and a README file
batch script to covert files from .evt(x) to .txt
input to ingest and index .txt files
props for event breaking, field extraction, etc

Directories structure:

$SPLUNK_HOME/etc/apps/incident_response/ 
README.txt 
/bin/convevt.bat 
/local/app.conf 
/local/inputs.conf 
/local/props.conf 
/metadata/local.meta

convevt.bat (pardon my windows...I'm better in *nix!):

REM declare directory to event logs without trailing "\" 
REM set evtlogs="D:\directory\to\logs" 

set evtlogs="D:\ticket-123456\Logs" 

forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"

app.conf:

[install] 
state = enabled

inputs.conf:

# declare directory to event logs in "incident_response\bin\convevt.bat" 
# enable script input 
[script://.\bin\convevt.bat] 
index = main 
sourcetype = script:output 
interval = -1 
#disabled = 0 
disabled = 1 

# declare directory to event logs with trailing "\*.txt" 
# declare hostname 
#[monitor://D:\directory\to\logs\*.txt] 
[monitor://D:\ticket-123456\Logs\*.txt] 
index = incident 
sourcetype = wevtutil:txt 
host = hostname 
disabled = 0 

# resart splunk 
# after first run disable script input and restart splunk

props.conf:

[wevtutil:txt] 
ANNOTATE_PUNCT = false 
LINE_BREAKER = (Event\[\d+\]\:) 
SHOULD_LINEMERGE = false 
ADD_EXTRA_TIME_FIELDS = false 
TIME_PREFIX = Date\:\s+ 
MAX_DAYS_AGO = 10951 
KV_MODE = none 
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+) 
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+) 
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+) 
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+) 
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+) 
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+) 
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+) 

################################ 
###ADD CUSTOM EXRACTIONS HERE### 
################################ 

#EXTRACT-wevtutil_# = regex

local.meta:

[] 
access = read : [ * ], write : [ admin ] 
export = system

README.txt:

1 - declare directory to event logs in "bin\convevt.bat" 
2 - enable script input in "local\inputs.conf" 
3 - declare directory to event logs in "local\inputs.conf" 
4 - declare hostname in "local\inputs.conf" 
5 - restart splunk 
6 - after first run disable script input and restart splunk

@marycordova

View solution in original post

marycordova · ‎04-18-2019

Solution: custom app incident_response

Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
custom app with bin, local, and metadata directories and a README file
batch script to covert files from .evt(x) to .txt
input to ingest and index .txt files
props for event breaking, field extraction, etc

Directories structure:

$SPLUNK_HOME/etc/apps/incident_response/ 
README.txt 
/bin/convevt.bat 
/local/app.conf 
/local/inputs.conf 
/local/props.conf 
/metadata/local.meta

convevt.bat (pardon my windows...I'm better in *nix!):

REM declare directory to event logs without trailing "\" 
REM set evtlogs="D:\directory\to\logs" 

set evtlogs="D:\ticket-123456\Logs" 

forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"

app.conf:

[install] 
state = enabled

inputs.conf:

# declare directory to event logs in "incident_response\bin\convevt.bat" 
# enable script input 
[script://.\bin\convevt.bat] 
index = main 
sourcetype = script:output 
interval = -1 
#disabled = 0 
disabled = 1 

# declare directory to event logs with trailing "\*.txt" 
# declare hostname 
#[monitor://D:\directory\to\logs\*.txt] 
[monitor://D:\ticket-123456\Logs\*.txt] 
index = incident 
sourcetype = wevtutil:txt 
host = hostname 
disabled = 0 

# resart splunk 
# after first run disable script input and restart splunk

props.conf:

[wevtutil:txt] 
ANNOTATE_PUNCT = false 
LINE_BREAKER = (Event\[\d+\]\:) 
SHOULD_LINEMERGE = false 
ADD_EXTRA_TIME_FIELDS = false 
TIME_PREFIX = Date\:\s+ 
MAX_DAYS_AGO = 10951 
KV_MODE = none 
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+) 
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+) 
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+) 
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+) 
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+) 
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+) 
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+) 

################################ 
###ADD CUSTOM EXRACTIONS HERE### 
################################ 

#EXTRACT-wevtutil_# = regex

local.meta:

[] 
access = read : [ * ], write : [ admin ] 
export = system

README.txt:

1 - declare directory to event logs in "bin\convevt.bat" 
2 - enable script input in "local\inputs.conf" 
3 - declare directory to event logs in "local\inputs.conf" 
4 - declare hostname in "local\inputs.conf" 
5 - restart splunk 
6 - after first run disable script input and restart splunk

@marycordova

How to index .evt(x) files exported from a Windows system for Forensics/Root Cause Analysis/Incident Response etc when the system is no longer operational?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?