Table of Contents
- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elasticsearch and Kibana
- 67. F5 BIG-IP
- 68. File Integrity Monitoring
- 69. FreeRADIUS
- 70. Google Chronicle
- 71. Graylog
- 72. HP ProCurve
- 73. IBM QRadar SIEM
- 74. Industrial Control Systems
- 75. Linux Audit System
- 76. Linux system logs
- 77. Log Event Extended Format (LEEF)
- 78. Logstash
- 79. McAfee Enterprise Security Manager (ESM)
- 80. McAfee ePolicy Orchestrator
- 81. Microsoft Active Directory Domain Controller
- 82. Microsoft Azure
- 83. Microsoft Azure Event Hubs
- 84. Microsoft Azure Sentinel
- 85. Microsoft Exchange
- 86. Microsoft IIS
- 87. Microsoft SharePoint
- 88. Microsoft SQL Server
- 89. Microsoft System Center Endpoint Protection
- 90. Microsoft System Center Configuration Manager
- 91. Microsoft System Center Operations Manager
- 92. MongoDB
- 93. Nagios Log Server
- 94. Nessus Vulnerability Scanner
- 95. NetApp
- 96. .NET application logs
- 97. Nginx
- 98. Okta
- 99. Oracle Database
- 100. Osquery
- 101. Postfix
- 102. Promise
- 103. Raijin Database Engine
- 104. Rapid7 InsightIDR SIEM
- 105. RSA NetWitness
- 106. SafeNet KeySecure
- 107. Salesforce
- 108. Snare
- 109. Snort
- 110. Solarwinds Loggly
- 111. Splunk
- 112. Sumo Logic
- 113. Symantec Endpoint Protection
- 114. Synology DiskStation
- 115. Syslog
- 116. Sysmon
- 117. Ubiquiti UniFi
- 118. VMware vCenter
- 119. Windows AppLocker
- 120. Windows Command Line Auditing
- 121. Windows Event Log
- 122. Windows Firewall
- 123. Windows Group Policy
- 124. Windows Management Instrumentation (WMI)
- 125. Windows PowerShell
- 126. Microsoft Windows Update
- 127. Windows USB auditing
- 128. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
121.6. Processing EVTX files on Linux
EVTX files collected from Windows systems can be processed on Linux with NXLog by using an external script.
Example 569. Reading EVTX files using Python
This example configuration uses the im_python module to execute a script and formats the events to JSON. The Python script uses the python-evtx module to read the events from the EVTX file.
nxlog.conf ![[Download file]](images/icons/download_icon.png "Download file")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<Extension xml>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input evtx>
Module im_python
PythonCode /opt/nxlog/etc/process_evtx.py
<Exec>
parse_windows_eventlog_xml($Message);
delete($Message);
to_json();
</Exec>
</Input>
process_evtx.py
import Evtx.Evtx as evtx
import Evtx.Views as e_views
import nxlog
def read_data(module):
nxlog.log_debug('Starting Processing EVTX')
with evtx.Evtx('/tmp/security.evtx') as log:
for record in log.records():
event = module.logdata_new()
event.set_field('Message', record.xml())
event.post()Output sample
{
"EventReceivedTime": "2020-11-19T18:47:06.548281+01:00",
"SourceModuleName": "evtx",
"SourceModuleType": "im_python",
"SourceName": "Microsoft-Windows-Security-Auditing",
"ProviderGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"EventID": 5379,
"Version": 0,
"LevelValue": 0,
"TaskValue": 13824,
"OpcodeValue": 0,
"Keywords": "0x8020000000000000",
"EventTime": "2020-11-19T17:36:15.751457+01:00",
"RecordNumber": 342859,
"ActivityID": "{d9a2c36d-bc3e-0003-83c3-a2d93ebcd601}",
"ExecutionProcessID": 872,
"ExecutionThreadID": 956,
"Channel": "Security",
"Hostname": "PC1",
"SubjectUserSid": "S-1-5-21-774634756-2905300177-2392840219-1003",
"SubjectUserName": "John",
"SubjectDomainName": "PC1",
"SubjectLogonId": "0x00000000000ccd46",
"TargetName": "MicrosoftOffice*",
"Type": "0",
"CountOfCredentialsReturned": "1",
"ReadOperation": "%%8100",
"ReturnCode": "0",
"ProcessCreationTime": "2020-11-16 17:36:12.644609",
"ClientProcessId": "12088",
"EventType": "AUDIT_SUCCESS",
"SeverityValue": 2,
"Severity": "INFO"
}|
Note
|
Sometimes events from the Windows Event Log contain values which need to be resolved using an external reference. Processing EVTX files using the python-evtx library may result in some events containing unresolved values. |