Another approach may be to use WinLogBeat and get BaseX to query ElasticSearch.
Did this, worked ok
Send BaseX-Talk mailing list submissions to
basex-talk@mailman.uni-konstanz.de
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
or, via email, send a message with subject or body 'help' to
basex-talk-request@mailman.uni-konstanz.de
You can reach the person managing the list at
basex-talk-owner@mailman.uni-konstanz.de
When replying, please edit your Subject line so it is more specific
than "Re: Contents of BaseX-Talk digest..."
Today's Topics:
1. Re: Datamining MS Windows eventlogs converted to xml
(Christian Gr?n)
----------------------------------------------------------------------
Message: 1
Date: Tue, 13 Apr 2021 16:51:06 +0200
From: Christian Gr?n <christian.gruen@gmail.com>
To: commandline-be <commandline@protonmail.com>
Cc: BaseX <basex-talk@mailman.uni-konstanz.de>
Subject: Re: [basex-talk] Datamining MS Windows eventlogs converted to
xml
Message-ID:
<CAP94bnPEUXc9biKsC5TNmN6-5bERatSW-uMF6n6cw4G70y=MQQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hi Joris,
> The kind of queries I'll need to write may be quite complex. At least to me at this point, I noticed BaseX to have more under the hood i have yet to explore.
As XQuery has a much broader scope than SQL, you can write very
sophisticated queries. In our documentation, you can find some simple
use cases; see e.g. [1,2,3].
> One other thing I'd like to explore is if I can query and/or index .evt and. evtx files directly by repurposing source code.
As far as I know, these formats are proprietary, but you could include
external converters for that [4]. Such a converter could also be
invoked from XQuery [5], and the result could be further processed.
Hope this helps,
Christian
[1] https://docs.basex.org/wiki/XQuery_3.0
[2] https://docs.basex.org/wiki/XQuery_3.1
[3] https://docs.basex.org/wiki/XQuery
[4] https://www.vanimpe.eu/2015/07/16/use-evtxparser-convert-windows-event-log-files-xml/
[5] https://docs.basex.org/wiki/Process_Module
> Typically I expect to query for unique eventid to create a baseline and for one or more reoccurring field values which may span any or all eventid. Here i will need to do pattern matching for example for uuid, ip, fqdn etc.
>
> My preliminary super simple tests have shown this to be feasible.
>
> Based on these results and queries I'd the seek to export to json or other formats. Maybe also to send data to elasticsearch or neo4j.
>
> One other thing I'd like to explore is if I can query and/or index .evt and. evtx files directly by repurposing source code.
>
>
> Best Regards,
>
> Joris
>
>
>
>
>
>
> -------- Oorspronkelijk bericht --------
> Aan 12 apr. 2021 12:51, Christian Gr?n < christian.gruen@gmail.com> schreef:
>
>
> Hi Joris,
>
> Have you already exported the MS windows events to XML, and are you
> now trying to extract specific information from that files?
>
> Best,
> Christian
>
> On Wed, Apr 7, 2021 at 2:13 PM Joris Lambrecht
> <commandline@protonmail.com> wrote:
> >
> > Dear,
> >
> > For the longest time a good tool to datamine ms windows eventlogs
> > escaped me.
> >
> > BaseX appears to offer the toolkit which could permit to do so after an
> > affordable conversion to XML.
> >
> > Now i seek to build a set of queries to extract information from
> > multiple converted eventlog files at once.
> >
> > Are there people on this list who have experience or are open to
> > building experience on this topic ?
> >
> > Br,
> >
> > Joris
> >
End of BaseX-Talk Digest, Vol 136, Issue 7
******************************************