1

I am using get-winevent to convert an evtx log to .json file. Then I've send it to ELK.
Get-WinEvent -Path .\log.evtx | ConvertTo-Json|Format-List | Out-File log.json
The file looks like a normal string containing file on windows. But when I take it to linux, it contains binary data and cannot be parsed to ELK. enter image description here


Even if I use out-string, nothing changes.
$result = Get-WinEvent -Path .\user-creation-1log.evtx | ConvertTo-Json| Format-List
$result | Out-String | out-file log.json

This also appears like a binary file in linux. (Although I remember export-csv with get-winevent created complete text file, but this makes a really ugly formatted csv file). I really liked the way convertTo-json formatted and valued the json data and would prefer it. (if someone can provide a different way to convert the evtx data in its fullest form to json, happy to take).
I've tried evtx2csv python module, but that doesn't write output to a file.

nav33n
  • 113
  • 9

1 Answers1

0

First, don't use Format-List if you intend to export JSON. This is only for formatting objects as a nice visual representation in the console.

Also, I don't use Linux, but I guess it's safest to specify utf8 as encoding explicitly to make sure it's compatible:

Get-WinEvent -Path .\log.evtx | ConvertTo-Json | Out-File log.json -Encoding utf8
marsze
  • 15,079
  • 5
  • 45
  • 61
  • 1
    Perfect solve, encoding solved it. I'll test uploading file to ELK and update again if I face issues again. – nav33n Jul 03 '21 at 14:13
  • @nav33n It was a shot in the dark but glad it worked for you. Good luck. – marsze Jul 03 '21 at 14:30
  • Also, the json being generated gets splitted into multiple lines separated by anewlines. Can there be a way out to get the JSON log in a single line? (multiple line JSON is breaking the parsing for ELK). The log format generated is in question at this link https://stackoverflow.com/questions/68238193/logstash-parsing-newlines-between-json-fields – nav33n Jul 03 '21 at 17:57
  • @nav33n You should really look at the [documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertto-json?view=powershell-7.1) of the cmdlets you're using, or use `Get-Help`. You'll see there's a `-Compress` switch. – marsze Jul 04 '21 at 07:57