Page 1 of 1
onetime load of windows event file
Posted: Tue Dec 03, 2019 8:32 am
by billy_strath
What is the best way to upload a windows archived event file, one time (ie I have a copy of security.evtx from a machine and I want to upload it to analyse it better? Is that using NXLog and pointing to the file or using shipper.py?
Re: onetime load of windows event file
Posted: Tue Dec 03, 2019 4:53 pm
by cdienger
Nxlog only seems to support uploading evtx files if you're using the Enterprise edition:
https://nxlog.co/products/additional-fe ... se-edition
It can still be used to upload the file if you're able to save the logs in a text format - csv for example. This method and using shipper would require some custom filters on the NLS side of things to make sure things were parsed correctly. I can look into this and get back to you as I think others would find it useful as well. If you're inclined to delve into this a bit more on your end, I suspect both
https://assets.nagios.com/downloads/nag ... ilters.pdf and
https://assets.nagios.com/downloads/nag ... -Files.pdf will be handy in setting this up.
Re: onetime load of windows event file
Posted: Wed Dec 04, 2019 9:54 am
by billy_strath
thanks. If I save as CSV I don't get all the rich info in the details of the event, so I think I have to look at the enterprise version of nxlog. Bit of a shame.
Re: onetime load of windows event file
Posted: Wed Dec 04, 2019 10:07 am
by scottwilkerson
If this is a one-off, you can request a trial of the EE of NXLog that may be long enough for you to get this ingested
https://nxlog.co/products/nxlog-enterprise-edition