json output

Question

json output

geekscrapy opened this issue 7 years ago · 3 comments

How would you go about getting json output? Just looking to dump the events to json for easy ingest into logstash

Answer 1 · 2018-01-11T05:41:19.000Z

I'd probably render to the XML format, and then translate to JSON from there. Under the hood, the EVTX format represents XML, so while there may be ways to pull out a JSON document file structure more directly, working with an EVTX file as if it were XML is a better way to think about it.

Its a little bit annoying that the different EVTX event types have all sorts of different schemas. But, I think you can cover the common cases with a small amount of work. This will definitely be sufficient to get data into logstash.

Answer 2 · 2018-02-09T17:08:44.000Z

closing this issue due to lack of activity. please re-open if you have further questions!

Answer 3 · 2019-01-26T17:13:54.000Z

Leaving this here for future queries. In the end I basically did this:

https://dragos.com/blog/industry-news/evtxtoelk-a-python-module-to-load-windows-event-logs-into-elasticsearch/