evtx2json
A tool to convert Windows evtx files (Windows Event Log Files) into JSON format and log to Splunk (optional) using HTTP Event Collector.
Disclaimer
This fork is intended to be a better version of the original evtx2json's code, but also is intended for me to learn Python. So, THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
installation
git clone https://github.com/vavarachen/evtx2json
cd evtx2json
pip install --user --requirement requirements.txt
Help
$ python evtx2json.py -h
usage: evtx2json.py [--help] [--loglevel {0,10,20,30,40,50}]
[--disable_json_tweaks] [--splunk] [--host HOST]
[--token TOKEN] [--port PORT] [--proto {http,https}]
[--index INDEX] [--source SOURCE]
[--sourcetype SOURCETYPE] [--verify]
{process_files,process_folder} ...
Convert Windows evtx files to JSON
positional arguments:
{process_files,process_folder}
optional arguments:
--help, -h This help message.
--loglevel {0,10,20,30,40,50}, -v {0,10,20,30,40,50}
Log level
--disable_json_tweaks
Skip customization to time, host, source etc. json
fields
Splunk Integration:
Send JSON output to Splunk
--splunk Send JSON output to Splunk
--host HOST Splunk host with HEC listener
--token TOKEN HEC Token
--port PORT Splunk HEC listener port
--proto {http,https} Splunk HEC protocol
--index INDEX Splunk Index
--source SOURCE Event Source. NOTE: Computer name in evtx will
overwrite this value
--sourcetype SOURCETYPE
Event Sourcetype
--verify SSL certificate verification
process_files module
$ python evtx2json.py process_files --help
usage: evtx2json.py process_files [-h] --files FILES [FILES ...]
optional arguments:
-h, --help show this help message and exit
Process evtx files:
--files FILES [FILES ...], -f FILES [FILES ...]
evtx file
process_folder module
$ python evtx2json.py process_folder -h
usage: evtx2json.py process_folder [-h] --folder FOLDER
optional arguments:
-h, --help show this help message and exit
Process folder containing evtx files:
--folder FOLDER Folder containing evtx files
Usage
Process evtx file(s)
python evtx2json.py process_files --files file1.evtx file2.evtx folder/*.evtx
Process multiple evtx files in a folder
python evtx2json.py process_folder --folder /path/to/evtx_folder
File Output
python evtx2json.py process_files --files file1.evtx --output /home/user/folder/
The output should be a folder. The files will have the same name as the input, but with .evtx
replaced with .json
Enable logging to Splunk
python evtx2json.py --splunk --host splunkfw.domain.tld --port 8888 --token BEA33046C-6FEC-4DC0-AC66-4326E58B54C3 \
process_files -f samples/*.evtx
Enable logging to Splunk but disable JSON modifications
python evtx2json.py --splunk --host splunkfw.domain.tld --port 8888 --token BEA33046C-6FEC-4DC0-AC66-4326E58B54C3 \
--disable_json_tweaks process_files -f samples/*.evtx