Splunk garbled characters after import eventlog evtx using incorrect sourcetype

Import EventLog into Splunk

| | |

During my incident response engagement, I always need to import EventLog into Splunk for further analysis. Of source, I am not trying to convince anyone to use Splunk during their incident response process. I use Splunk just because there are some commands such as transaction, streamstats and eventstats which are difficult to replace with other tools, and we have some ready-to-use threat hunting query which we can speed-up our initial triage process.

By default, Windows EventLog evtx files are stored in C:\Windows\System32\winevt\Logs, and evtx files are protected by the Windows kernel. Therefore, you cannot directly edit or copy those evtx files for processing. If you do this, you risk to corrupt the Windows Event Log evtx file. To export evtx file, just open “Event Viewer”, and then right click to save evtx file.

In the view of Windows program design, you need to call Windows API and let Windows to complete the requested actions for you. Similarly, Splunk also use native Windows API to process the exported evtx file, you must use a Windows machine with Splunk installed (either Universal Forwarder or any full Splunk instance including All-in-one Splunk instance or Heavy forwarder instance) to process the evtx file. In other word, the inputs.conf should be deployed or defined on a windows machine in order to successfully import Event Log into Splunk. You will need to use the sourcetype preprocess-winevt. If you do not explicit define the correct sourcetype, Splunk will display garbled characters after import EventLog evtx file. You can find the working version of inputs.conf below:

[monitor://C:\analysis\*sysmon.evtx]
disabled = 0
sourcetype = preprocess-winevt
host = victim_machine
index = wineventlog
crcSalt = <SOURCE>

As you can see below, Splunk correctly import and automatically recognize the correct sourcetype, which is WinEventLog:Microsoft-Windows-Sysmon/Operational in this case.

Splunk display correct result using preprocess-winevt sourcetype after import

Hunting evil with Sysmon, AutoRuns, and other free tools


Similar Posts

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *