Parsing Windows Logs (from FILE)

View thread

Colin.Bitterfield

I am having no luck with a simple parsing of EVT log files.

Is there an easy way to read in EVT (Binary Log files) and output them in Syslog Format?

This is the config file I am using: (I Used python evtx to extract into text XML) However that yields XML attributes which apparently are not parse-able.

Problem Set:

Give 3 files (System.evt, Application.evt, and Security.EVT) parse the EVT format into Syslog_BSD(or IETF) formats.

 

 

<Extension multiline>
    Module    xm_multiline
    HeaderLine    /^<event>/
    EndLine    /^</event>/
</Extension>

<Extension syslog>
Module    xm_syslog
</Extension>

<Extension xmlparser>
Module    xm_xml
</Extension>

<Extension json>
Module    xm_json
</Extension>

<Extension fileop>
Module xm_fileop
</Extension>


<Input in>
    Module im_file
    File "%ROOT%/test.xml"
#    File "/tmp/cab.xml"
    SavePos    FALSE
    ReadFromLast FALSE
    InputType    multiline
    <Exec>
      # Discard everything that doesn't seem to be an xml event   
      if $raw_event !~ /^<event>/ drop();

      # Parse the xml event
      parse_xml(); to_syslog_ietf();

      # Rewrite some fields 
      $EventTime = parsedate($timestamp);
      delete($timestamp);
      delete($EventReceivedTime);

      # Convert to JSON
      to_json();
    </Exec>
</Input>


<Output out>
    Module  om_file
    File    "%ROOT%/out.log"
    Exec    parse_xml();
    Exec     log_info("FIELD" +  to_json());
</Output>


<Route 1>
    Path    in => out
</Route>