Hey Adam,
True this works for a live machine.
What I speak of are copies of .evtx files. I know it is possible but the process is clumsy afaik.
Br
Joris
-------- Oorspronkelijk bericht -------- Aan 15 apr. 2021 05:06, Adam Law < adamjameslaw@gmail.com> schreef:
Another approach may be to use WinLogBeat and get BaseX to query ElasticSearch.
Did this, worked ok
On Wed, Apr 14, 2021 at 6:00 PM <[basex-talk-request@mailman.uni-konstanz.de][basex-talk-request_mailman.uni-konstanz.de]> wrote:
Send BaseX-Talk mailing list submissions to [basex-talk@mailman.uni-konstanz.de][basex-talk_mailman.uni-konstanz.de]
To subscribe or unsubscribe via the World Wide Web, visit https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk or, via email, send a message with subject or body 'help' to [basex-talk-request@mailman.uni-konstanz.de][basex-talk-request_mailman.uni-konstanz.de]
You can reach the person managing the list at [basex-talk-owner@mailman.uni-konstanz.de][basex-talk-owner_mailman.uni-konstanz.de]
When replying, please edit your Subject line so it is more specific than "Re: Contents of BaseX-Talk digest..."
Today's Topics:
- Re: Datamining MS Windows eventlogs converted to xml
(Christian Gr?n)
----------------------------------------------------------------------
Message: 1 Date: Tue, 13 Apr 2021 16:51:06 +0200 From: Christian Gr?n <[christian.gruen@gmail.com][christian.gruen_gmail.com]> To: commandline-be <[commandline@protonmail.com][commandline_protonmail.com]> Cc: BaseX <[basex-talk@mailman.uni-konstanz.de][basex-talk_mailman.uni-konstanz.de]> Subject: Re: [basex-talk] Datamining MS Windows eventlogs converted to xml Message-ID: <CAP94bnPEUXc9biKsC5TNmN6-5bERatSW-uMF6n6cw4G70y=[MQQ@mail.gmail.com][MQQ_mail.gmail.com]> Content-Type: text/plain; charset="UTF-8"
Hi Joris,
The kind of queries I'll need to write may be quite complex. At least to me at this point, I noticed BaseX to have more under the hood i have yet to explore.
As XQuery has a much broader scope than SQL, you can write very sophisticated queries. In our documentation, you can find some simple use cases; see e.g. [1,2,3].
One other thing I'd like to explore is if I can query and/or index .evt and. evtx files directly by repurposing source code.
As far as I know, these formats are proprietary, but you could include external converters for that [4]. Such a converter could also be invoked from XQuery [5], and the result could be further processed.
Hope this helps, Christian
[1] [https://docs.basex.org/wiki/XQuery%5C_3.0%5D%5Bhttps_docs.basex.org_wiki_XQu...] [2] [https://docs.basex.org/wiki/XQuery%5C_3.1%5D%5Bhttps_docs.basex.org_wiki_XQu...] [3] https://docs.basex.org/wiki/XQuery [4] https://www.vanimpe.eu/2015/07/16/use-evtxparser-convert-windows-event-log-f... [5] [https://docs.basex.org/wiki/Process%5C_Module%5D%5Bhttps_docs.basex.org_wiki...]
Typically I expect to query for unique eventid to create a baseline and for one or more reoccurring field values which may span any or all eventid. Here i will need to do pattern matching for example for uuid, ip, fqdn etc.
My preliminary super simple tests have shown this to be feasible.
Based on these results and queries I'd the seek to export to json or other formats. Maybe also to send data to elasticsearch or neo4j.
One other thing I'd like to explore is if I can query and/or index .evt and. evtx files directly by repurposing source code.
Best Regards,
Joris
-------- Oorspronkelijk bericht -------- Aan 12 apr. 2021 12:51, Christian Gr?n < [christian.gruen@gmail.com][christian.gruen_gmail.com]> schreef:
Hi Joris,
Have you already exported the MS windows events to XML, and are you now trying to extract specific information from that files?
Best, Christian
On Wed, Apr 7, 2021 at 2:13 PM Joris Lambrecht <[commandline@protonmail.com][commandline_protonmail.com]> wrote:
Dear,
For the longest time a good tool to datamine ms windows eventlogs escaped me.
BaseX appears to offer the toolkit which could permit to do so after an affordable conversion to XML.
Now i seek to build a set of queries to extract information from multiple converted eventlog files at once.
Are there people on this list who have experience or are open to building experience on this topic ?
Br,
Joris
End of BaseX-Talk Digest, Vol 136, Issue 7 ******************************************
[basex-talk-request_mailman.uni-konstanz.de]: mailto:basex-talk-request@mailman.uni-konstanz.de [basex-talk_mailman.uni-konstanz.de]: mailto:basex-talk@mailman.uni-konstanz.de [basex-talk-owner_mailman.uni-konstanz.de]: mailto:basex-talk-owner@mailman.uni-konstanz.de [christian.gruen_gmail.com]: mailto:christian.gruen@gmail.com [commandline_protonmail.com]: mailto:commandline@protonmail.com [MQQ_mail.gmail.com]: mailto:MQQ@mail.gmail.com [https_docs.basex.org_wiki_XQuery_3.0]: https://docs.basex.org/wiki/XQuery_3.0 [https_docs.basex.org_wiki_XQuery_3.1]: https://docs.basex.org/wiki/XQuery_3.1 [https_docs.basex.org_wiki_Process_Module]: https://docs.basex.org/wiki/Process_Module