Export Windows Event Logs to a format ingestible by Security Onion (.evtx) within an offline archive.
Exports Windows Event Logs to an archive, which can then be exported to different SIEMs and Security Onion solutions. This niche tool was written for scenarios where logs needed to be stored and moved to external SIEM's not reachable by the target.
Parameters:
# -Context --> The name of the TTP being collected (example: 'Sliver HTTP C2')
# -Offset --> The last X minutes of logs to collect (default: last 30 minutes)
# -OutputDir --> Intended output directory (default: %PUBLIC%\Documents)
# -LogSet --> Additional logset to collect & export.
# -Help --> Return Get-Help information
Defaults:
- Exports logs to the Public Documents directory (
%PUBLIC%\Documents) - Exports the last 30 minutes of logs.
- Attempts to export the following logsets:
- "Application",
- "System",
- "Security",
- "Microsoft-Windows-Sysmon/Operational",
- "Microsoft-Windows-PowerShell/Operational"
(Note: MUST BE RAN WITH ELEVATED PRIVILEGES.)
# Below example will create a labeled .zip in "%PWD%\Examples" containing the last 45 minutes of logs
export-evtx -Context 'Github Showcase' -Offset 45 -OutputDir .\Examples
(Note: Below image unrelated to usage example.)
- Move the archived logs to your Security Onion sensor via your preferred method (USB, SCP, etc.)
- Unzip the archive
- Import with
so-import-evtx
