Reading a .evtx file on a windows machine
482 views
Skip to first unread message
Srijan Nandi
Nov 23, 2022, 2:49:20 PM11/23/22
to Wazuh mailing list
Hello All,
Trying to get a .evtx file read by Wazuh. It seems both the evenchannel way and the syslog way is not working.
I tried converting the .evtx file to a .txt file and tried reading it from a Linux machine. The option only-future-events does not work and you will have to create the file in real time for wazuh to read.
My goal to read the .evtx file on a windows machine from the evenchannel way so that it can do some forensics on it.
Thanks and Regards,
-=Srijan Nandi
Trying to get a .evtx file read by Wazuh. It seems both the evenchannel way and the syslog way is not working.
I tried converting the .evtx file to a .txt file and tried reading it from a Linux machine. The option only-future-events does not work and you will have to create the file in real time for wazuh to read.
My goal to read the .evtx file on a windows machine from the evenchannel way so that it can do some forensics on it.
Thanks and Regards,
-=Srijan Nandi
Mauricio Ruben Santillan
Nov 23, 2022, 4:40:22 PM11/23/22
to Wazuh mailing list
Hello!
Thanks for being part of the Wazuh community!
Not long ago I've tried to ingest exported Windows Events from "Event Viewer" but since .evtx files are not clear-text files, they can't be ingested using Wazuh's logcollector feature.
A workaround you could apply here is to export events into a different format (csv, txt or xml), then create custom decoders and rules for them (Wazuh's default decoders and rules for Windows events won't work for them).
Have in mind that the resulting alerts won't look the same as your current Windows Events nor they won't have the same rule ID.
You may find information about how log collection works here: https://documentation.wazuh.com/4.0/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
I hope this helps!
Reply all
Reply to author
Forward
0 new messages