read from multiple .evtx file
I have multiple (around 300) .evtx files (security, system, application). Now, I want to read these files and transfer data to ESM and further do analytics. As far as I know, there is no standard smartconnector for this purpose.
Can someone suggest, what will be the best way to perform this task?
Thanks in advance.
SmartConnector for Microsoft Windows: native or unified does this for you!!
System, Security and Application (except nested ones) logs can be parsed with this connector.
Thanks Amit for your reply. Im wondering in which step I can enter parameters of log (path)?
I have my .evtx logs under: c:\\allevtlogs\
there are 300 of them: 192.168.1.2_security.evtx, 192.168.1.2_application.evtx,192.168.1.2_system.evtx,192.168.1.3_security.evtx,192.168.1.3_application.evtx,192.168.1.3_system.evtx, 192.168.1.4_security.evtx,192.168.1.4_application.evtx,192.168.1.4_system.evtx and .... 293 more files.
I need to read from all of them and send to ESM
In this case, you will have to do following things..
1. convert evtx files to csv.
2. deploy a delimiter flex connector for , (comma) as a delimiter.
How to convert/export to csv from evtx??
Visit https://www.experts-exchange.com/questions/27706818/Convert-Mulitple-Windows-EVTX-files-to-CSV-format.html and look into accepted solution.
A powershell script is to be created and used.
How to develop and deploy flex connector for delimited log files??
Use flexagentwizard (refer flex connector development guide) and create your own flexAgent file.
Deploy the developed flexAgent using "ArcSight FlexConnector Multiple Folder File" connector.
You will be able to parse the events from CSV into desired ArcSight Solution for analysis.
Note:As you will be using custom parser, the parsing will not be similar as normal Windows event parsing in ArcSight.