Home

Awesome

evtx2splunk

Ingest EVTX files into a Splunk instance.

This tool is based on the work of :

Thanks to Ekto for its contribution.

Key features

Note: evtx2splunk converts the EVTX to JSON and stores them in a temporary place.
Hence, up to the size of source EVTX can be created during the process. These files are removed at the end of the process, except if keep_cache is enabled.

Installation

Usage of a venv is recommended to avoid conflicts. Please use Python 3.7 or later.

  1. Clone the repo : git clone https://github.com/whikernel/evtx2splunk.git && cd evtx2splunk
  2. Install the requirements: pip3 install -r ./requirements.txt
  3. Copy env configuration : cp env.sample .env and fill it with your Splunk configuration
  4. Enable HEC on the Splunk server (see configuration section)
  5. Run evtx2splunk :-)

Usage

Ingest a folder containing evtx files into case_0001 index.

# Default 
python3 evtx2splunk.py --input /data/evtx/folder --index case_0001 

# Keep cache 
python3 evtx2splunk.py --input /data/evtx/folder --index case_0001 --keep_cache 

# Reuse cache and keep it 
python3 evtx2splunk.py --input /data/evtx/folder --index case_0001 --keep_cache --use_cache 

# Disable message resolution 
python3 evtx2splunk.py --input /data/evtx/folder --index case_0001 --no_resolve

# Generates the JSON Evtx message file 
python3 build_resolver.py -d winevt-kb.db

Options

Configuration

The environment variables should follow :

SPLUNK_URL = Domain or IP hosting the Splunk. Please input without the HTTP or HTTPS - for instance `localhost` or `mydomain.com`
SPLUNK_PORT = Splunk HTTP port - 8000 by default (unused at the moment in the script)
SPLUNK_MPORT = Splunk Management port - 8089 by default
SPLUNK_SSL = If set to True, the SSL certificate will be checked. Set to False for autogenerated certs. 
SPLUNK_USER = Splunk user with the rights to make configuration changes (add HEC token, indexes,etc)
SPLUNK_PASS = User password

Please also note that HEC needs to be enabled on Splunk before use : Settings > Data Input > HTTP Event Collector > Global Settings > All tokens : Enabled

Improvements to come