This blog post was first released on cloud-response.com one of our personal projects. We’ve decided to move it here, because that domain might go away and it’s a useful blog for a lot of people so we want to keep it around.
Introduction
In this blog post I will show you how to import Windows event log files in Splunk. I was inspired by this post on how to import ‘.evtx’ files into Elastic and I thought it was a good idea to write this blog on how to achieve the same goal with Splunk. Log analysis is a critical part of DFIR and on numerous occasions I found myself sitting with a bunch of Windows event logs that needed to be analysed. So I hope it will be useful for you as well.
Setup your environment
For this experiment, I have used a cool dataset published by Blackstorm Security. The dataset contains Windows event log samples associated to specific attack and post-exploitation techniques The event logs are stored in their repository and categorized per attack type.
- First step is to download Splunk Enterprise for free here
- Next follow the installation steps and upon successful completion, you have your own Splunk server running
- Optional, if you want to analyse Sysmon logging, you need to make sure Sysmon is installed on your Splunk server, download here
Important: Splunk must be installed on a system with Windows Vista or Server 2008/2008 R2 and newer for this to work.
Importing logs into Splunk
Before we go into the details, it is important to understand some basic Splunk concepts. Data in Splunk is stored in an index, which can be specified with the index option. The type of data is specified with the sourcetype option. The sourcetype is also important, becuase Splunk uses this to parse and filter data.
There are several methods that can be used to import Windows event logs. For Windows event logs it is suggested to use a configuration file to tell Splunk to import the log files. Splunk makes use of configuration files for almost all of its settings. The settings for data imports are specified in the inputs configuration file. A typical inputs configuration file looks like this:
[monitor://data_source]
index = data_destination
sourcetype = data_type
Windows event logs
Windows event log files are binary files and not normal text files. Splunk relies on the sourcetype for parsing of data. So what sourcetype should we use you might ask? It is not the default wineventlog sourcetype. The wineventlog sourcetype is used when you are forwarding Windows event logs from a Windows system to Splunk. However this does not work for archived/exported .evtx files we have to tell Splunk that these files are different. We have to use the sourcetype preprocess-winevt, this sourcetype causes Splunk to parse the data correctly as we will see later on.
First I will show you what happens when you choose the wrong sourcetype (wineventlog). All events are loaded into one event in Splunk see below the result:
And now we will apply the correct sourcetype (preprocess-winevt) and import the event log “recon_psloggedon.evtx” from the “Reconnaissance” folder on the “D” drive. The resulting inputs file looks like this:
[monitor://D:\[SourceData]\EVTX-ATTACK-SAMPLES-master\Reconnaissance\recon_psloggedon.evtx]
index = wineventlog
sourcetype = preprocess-winevt
With the above configuration the log file is loaded into the wineventlog index. Et voila! The events are split and fields are populated accordingly.
However in most cases, you will need more than one log file to be analyzed. This can easily be achieved with Splunk. For this experiment I will import all files in the ‘Privilege Escalation’ folder. You can do this by using a wilcard in the inputs file as shown below.
[monitor://D:\[SourceData]\EVTX-ATTACK-SAMPLES-master\Privilege Escalation\*]
index = wineventlog
sourcetype = preprocess-winevt
crcSalt = <SOURCE>
Splunk will pick up all the files in the directory and put them in the specified index wineventlog with the correct sourcetype. When you upload a batch of Windows event logs it is a good idea to add the ‘crcSalt = ’ option. The reason for using the ‘crcSalt’ option is that by default Splunk checks the first 256 bytes of a file with a Cyclic Redundance Check (CRC) to make sure it does not upload the same file twice. You can force Splunk to index similar files by using the ‘crcSalt = ’ option. Just to be safe I suggest you to use this option when importing a batch of Windows Event logs, because I have had cases where log files were too similar according to the default CRC check.
Important: You must use the preprocess-winevt sourcetype for exported “‘.evtx” files, otherwise data is parsed incorrectly
Now you have all your logs in one place in Splunk and you can start searching for the needle in the haystack. Good luck and enjoy!
If you found this blog useful, consider sharing or commenting for broader visibility.