Solved: Re: How to index .evt(x) files exported from a Win...

marycordova · ‎04-18-2019

Problem statement: Windows .evt(x) files need to be indexed but the system the files originated from is no longer operational and the normal methods for gathering Windows event logs will not work; Universal Forwarder, WEF, etc

@marycordova

marycordova · ‎04-18-2019

Solution: custom app incident_response

Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
custom app with bin, local, and metadata directories and a README file
batch script to covert files from .evt(x) to .txt
input to ingest and index .txt files
props for event breaking, field extraction, etc

Directories structure:

$SPLUNK_HOME/etc/apps/incident_response/ 
README.txt 
/bin/convevt.bat 
/local/app.conf 
/local/inputs.conf 
/local/props.conf 
/metadata/local.meta

convevt.bat (pardon my windows...I'm better in *nix!):

REM declare directory to event logs without trailing "\" 
REM set evtlogs="D:\directory\to\logs" 

set evtlogs="D:\ticket-123456\Logs" 

forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"

app.conf:

[install] 
state = enabled

inputs.conf:

# declare directory to event logs in "incident_response\bin\convevt.bat" 
# enable script input 
[script://.\bin\convevt.bat] 
index = main 
sourcetype = script:output 
interval = -1 
#disabled = 0 
disabled = 1 

# declare directory to event logs with trailing "\*.txt" 
# declare hostname 
#[monitor://D:\directory\to\logs\*.txt] 
[monitor://D:\ticket-123456\Logs\*.txt] 
index = incident 
sourcetype = wevtutil:txt 
host = hostname 
disabled = 0 

# resart splunk 
# after first run disable script input and restart splunk

props.conf:

[wevtutil:txt] 
ANNOTATE_PUNCT = false 
LINE_BREAKER = (Event\[\d+\]\:) 
SHOULD_LINEMERGE = false 
ADD_EXTRA_TIME_FIELDS = false 
TIME_PREFIX = Date\:\s+ 
MAX_DAYS_AGO = 10951 
KV_MODE = none 
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+) 
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+) 
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+) 
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+) 
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+) 
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+) 
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+) 

################################ 
###ADD CUSTOM EXRACTIONS HERE### 
################################ 

#EXTRACT-wevtutil_# = regex

local.meta:

[] 
access = read : [ * ], write : [ admin ] 
export = system

README.txt:

1 - declare directory to event logs in "bin\convevt.bat" 
2 - enable script input in "local\inputs.conf" 
3 - declare directory to event logs in "local\inputs.conf" 
4 - declare hostname in "local\inputs.conf" 
5 - restart splunk 
6 - after first run disable script input and restart splunk

@marycordova

View solution in original post

marycordova · ‎04-18-2019

Solution: custom app incident_response

Splunk Enterprise system with admin rights and an index called "incident" (this can be changed), a single stand alone free instance would be sufficient
custom app with bin, local, and metadata directories and a README file
batch script to covert files from .evt(x) to .txt
input to ingest and index .txt files
props for event breaking, field extraction, etc

Directories structure:

$SPLUNK_HOME/etc/apps/incident_response/ 
README.txt 
/bin/convevt.bat 
/local/app.conf 
/local/inputs.conf 
/local/props.conf 
/metadata/local.meta

convevt.bat (pardon my windows...I'm better in *nix!):

REM declare directory to event logs without trailing "\" 
REM set evtlogs="D:\directory\to\logs" 

set evtlogs="D:\ticket-123456\Logs" 

forfiles /P %evtlogs% /M *.evt* /C "cmd /c wevtutil qe @path /lf:true /f:Text > @path.txt"

app.conf:

[install] 
state = enabled

inputs.conf:

# declare directory to event logs in "incident_response\bin\convevt.bat" 
# enable script input 
[script://.\bin\convevt.bat] 
index = main 
sourcetype = script:output 
interval = -1 
#disabled = 0 
disabled = 1 

# declare directory to event logs with trailing "\*.txt" 
# declare hostname 
#[monitor://D:\directory\to\logs\*.txt] 
[monitor://D:\ticket-123456\Logs\*.txt] 
index = incident 
sourcetype = wevtutil:txt 
host = hostname 
disabled = 0 

# resart splunk 
# after first run disable script input and restart splunk

props.conf:

[wevtutil:txt] 
ANNOTATE_PUNCT = false 
LINE_BREAKER = (Event\[\d+\]\:) 
SHOULD_LINEMERGE = false 
ADD_EXTRA_TIME_FIELDS = false 
TIME_PREFIX = Date\:\s+ 
MAX_DAYS_AGO = 10951 
KV_MODE = none 
EXTRACT-wevtutil_1 = Log\s+Name\:\s+(?[^\n]+) 
EXTRACT-wevtutil_2 = Source\:\s+(?[^\n]+) 
EXTRACT-wevtutil_3 = Event\s+ID\:\s+(?[^\n]+) 
EXTRACT-wevtutil_4 = Task\:\s+(?[^\n]+) 
EXTRACT-wevtutil_5 = Level\:\s+(?[^\n]+) 
EXTRACT-wevtutil_6 = Opcode\:\s+(?[^\n]+) 
EXTRACT-wevtutil_7 = Keyword\:\s+(?[^\n]+) 

################################ 
###ADD CUSTOM EXRACTIONS HERE### 
################################ 

#EXTRACT-wevtutil_# = regex

local.meta:

[] 
access = read : [ * ], write : [ admin ] 
export = system

README.txt:

1 - declare directory to event logs in "bin\convevt.bat" 
2 - enable script input in "local\inputs.conf" 
3 - declare directory to event logs in "local\inputs.conf" 
4 - declare hostname in "local\inputs.conf" 
5 - restart splunk 
6 - after first run disable script input and restart splunk

@marycordova

How to index .evt(x) files exported from a Windows system for Forensics/Root Cause Analysis/Incident Response etc when the system is no longer operational?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!