Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Normalizing imported .evtx files with Splunk Windows Add-on

Erad
New Member
‎01-18-2021 01:21 PM

Greetings all,

I'm in a situation where I would like do "offline" Windows event logs analysis, and I need to be able to ingest raw evtx files.

Here is my setup:

I'm ingesting the files I need with a "monitor" stanza in the Windows app's inputs.conf:

[monitor://C:\imported_data\evtx]
disabled = 0
sourcetype = preprocess-winevt
crcSalt = <SOURCE>
index = imported-evtx

Now, the logs are ingested and parsed and it's already a start (I get proper sourcetypes and everything). However, they do not go through the Windows' app normalizing process, e.g. events don't get populated with the "EventID" field, user names are not parsed into SubjectUserName and TargetUserName fields, things like that.

 

Is there a way of making those imported logs properly handled by the TA?

Note: if I try and ingest my local VM's logs with a [WinEventLog://Security] stanza, they are successfully normalized by the app.

 

Cheers,

Erad

Labels (1)
Labels
0 Karma
Reply

human96
Communicator
‎03-08-2022 12:04 AM

Windows Event Log (.evt) and Windows Event Log XML (.evtx) files that you exported from another Windows machine don't work.

https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Uploaddata

the better way would be-
1. convert your evtx files to csv

using logparser ( by Microsoft )
 

$logparser = "c:\program files (x86)\Log Parser 2.2\logparser.exe"
$query = "SELECT * INTO c:\logs\logs.csv FROM c:\logs\logs.evtx"

& $logparser -i:evt -o:csv $query

 2. forward those converted csv file directly to splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...