In this blog post I will show you how to import Windows event log files in Splunk. I was inspired by this post on how to import '.evtx' files into Elastic and I thought it was a good idea to write this blog on how to achieve the same goal with Splunk. Log analysis is a critical part of DFIR and on numerous occassions I found myself sitting with a bunch of Windows event logs that needed to be analysed. So I hope it will be useful for you as well.
Setup your environment
For this experiment, I have used a cool dataset published by Blackstorm Security. The dataset contains Windows event log samples associated to specific attack and post-exploitation techniques The event logs are stored in their repository and categorized per attack type.
First step is to download Splunk Enterprise for free here
Next follow the installation steps and upon successful completion, you have your own Splunk server running
Optional, if you want to analyse Sysmon logging, you need to make sure Sysmon is installed on your Splunk server, download here
Important: Splunk must be installed on a system with Windows Vista or Server 2008/2008 R2 and newer for this to work.
Importing logs into Splunk
Before we go into the details, it is important to understand some basic Splunk concepts. Data in Splunk is stored in an index, which can be specified with the index option. The type of data is specified with the sourcetype option. The sourcetype is also important, becuase Splunk uses this to parse and filter data. There are several methods that can be used to import Windows event logs. For Windows event logs it issuggested to use a configuration file to tell Splunk to import the log files. Splunk makes use of configuration files for almost all of its settings. The settings for data imports are specified in the inputs configuration file. A typical inputs configuration file looks like this:
[monitor://data_source]
index = data_destination
sourcetype = data_type
Windows event logs
Windows event log files are binary files and not normal text files. Splunk relies on the sourcetype for parsing of data. So what sourcetype should we use you might ask? It is not the default wineventlog sourcetype. The wineventlog sourcetype is used when you are forwarding Windows event logs from a Windows system to Splunk. However this does not work for archived/exported .evtx files we have to tell Splunk that these files are different. We have to use the sourcetype preprocess-winevt, this sourcetype causes Splunk to parse the data correctly as we will see later on.
First I will show you what happens when you choose the wrong sourcetype (wineventlog). All events are loaded into one event in Splunk see below the result:
And now I will apply the correct sourcetype (preprocess-winevt) and import the event log “recon_psloggedon.evtx" from the “Reconnaissance” folder on the “D” drive. The resulting inputs file looks like this:
With the above configuration the log file is loaded into the wineventlog index. Et voila! The events are split and fields are populated accordingly.
However in most cases, you will need more than one log file to be analyzed. This can easily be achieved with Splunk. For this experiment I will import all files in the ‘Privilege Escalation’ folder. You can do this by using a wilcard in the inputs file as shown below.
Splunk will pick up all the files in the directory and put them in the specified index wineventlog with the correct sourcetype. When you upload a batch of Windows event logs it is a good idea to add the ‘crcSalt = ’ option. The reason for using the ‘crcSalt’ option is that by default Splunk checks the first 256 bytes of a file with a Cyclic Redundance Check (CRC) to make sure it does not upload the same file twice. You can force Splunk to index similar files by using the ‘crcSalt = ’ option. Just to be safe I suggest you to use this option when importing a batch of Windows Event logs, because I have had cases where log files were too similar according to the default CRC check.
Important: You mustuse the preprocess-winevt sourcetype for exported ‘.evtx’ files, otherwise data is parsed incorrectly
Now you have all your logs in one place in Splunk and you can start searching for the needle in the haystack. Good luck and enjoy!
I am truly impressed by the details that you have provided regarding Vietnam Import Data It is an interesting blog for me as well as for others. Thanks for sharing such a blog here.
It is time for some fun and time to sharpen up my Mobile Forensics skills. Magnet Forensics has decided to organize a weekly CTF challenge, every Monday a new challenge will be published for the last quarter of 2020. This gives everyone a week to work on a challenge and then it will be closed and a new challenge will be published. I really like this setup, as it is a lot easier to combine with work life. More information about the CTF can be found on the Magnet website . I will use and update this article to write down my methodology to solving the challenge and hopefully the answer as well. Quick navigation To navigate to the write-up of a certain week, use the links below: Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10 Week 11 Week 12 CTF Setup For the month October a mobile Android Image is used download here . For the month November a Linux image is used download here . For the month December a Windows memory...
Last week Microsoft released the highly anticipated and long awaited MailItemsAccessed Operation as part of the Advanced Audit functionality in Office 365. The good news, it is automatically enabled. The bad news, it is only for customers with an Office 365 or Microsoft 365 E5 license. In this article my colleague Joey Rentenaar and I will provide you with details on the new artefact and share with you how you can use it to identify what emails were accessed by a threat actor. Also we have developed an open-source tool to support analysis of the new artefact and it's available here . Why is this important? One of the biggest challenges during a Business Email Compromise investigation is to determine what emails were accessed by a threat actor. At the moment you have to assume that a threat actor had access to all emails for a compromised account during the period of a successful compromise. Since a compromise of Personally Identifiable Information(PII) can lead to regulato...
huge help. thank you!
ReplyDeleteI am truly impressed by the details that you have provided regarding Vietnam Import Data It is an interesting blog for me as well as for others. Thanks for sharing such a blog here.
ReplyDelete