nurbolat.tazhke Absent Member.
Absent Member.
1003 views

read from multiple .evtx file


Hi Guys,

I have multiple (around 300) .evtx files (security, system, application). Now, I want to read these files and transfer data to ESM and further do analytics. As far as I know, there is no standard smartconnector for this purpose.

Can someone suggest, what will be the best way to perform this task?

Thanks in advance.

Regards, Nurbolat

Labels (2)
0 Likes
5 Replies
Highlighted
amitsurya1 Respected Contributor.
Respected Contributor.

Re: read from multiple .evtx file

Hi Nurbolat,

SmartConnector for Microsoft Windows: native or unified does this for you!!

System, Security and Application (except nested ones) logs can be parsed with this connector.

0 Likes
nurbolat.tazhke Absent Member.
Absent Member.

Re: read from multiple .evtx file

Thanks Amit for your reply. Im wondering in which step I can enter parameters of log (path)?

I have my .evtx logs under: c:\\allevtlogs\

there are 300 of them: 192.168.1.2_security.evtx, 192.168.1.2_application.evtx,192.168.1.2_system.evtx,192.168.1.3_security.evtx,192.168.1.3_application.evtx,192.168.1.3_system.evtx, 192.168.1.4_security.evtx,192.168.1.4_application.evtx,192.168.1.4_system.evtx and .... 293 more files.

I need to read from all of them and send to ESM

0 Likes
amitsurya1 Respected Contributor.
Respected Contributor.

Re: read from multiple .evtx file

Nurbolat,

In this case, you will have to do following things..

1. convert evtx files to csv.

2. deploy a delimiter flex connector for , (comma) as a delimiter.

How to convert/export to csv from evtx??

Visit https://www.experts-exchange.com/questions/27706818/Convert-Mulitple-Windows-EVTX-files-to-CSV-format.html and look into accepted solution.

A powershell script is to be created and used.

How to develop and deploy flex connector for delimited log files??

Use flexagentwizard (refer flex connector development guide) and create your own flexAgent file.

Deploy the developed flexAgent using "ArcSight FlexConnector Multiple Folder File" connector.

You will be able to parse the events from CSV into desired ArcSight Solution for analysis.

Note:As you will be using custom parser, the parsing will not be similar as normal Windows event parsing in ArcSight.

Regards,

Amit

nurbolat.tazhke Absent Member.
Absent Member.

Re: read from multiple .evtx file

ok, Amit, thanks for your answer.

0 Likes
shravan.suthar
Established Member.

Re: read from multiple .evtx file

Thanks, Amit, it's working fine.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.