Parsing exception when trying to ingest System.evtx

[joaociocca]

Hi there! Great tool, I got it to ingest Security.evtx and Application.evtx, but when I try to ingest System.evtx I always get a parsing error. I have a very basic understanding of programming logic, not nearly that about Python - I got most of it to work with your step-by-step on Dragos' blog and some Google-fu. How can I help diagnose, maybe even help correct, this parsing error?

oh! Found one on Elasticsearch's logs:

Caused by: java.lang.IllegalArgumentException: object field starting or ending with a [.] makes object resolution ambiguous: [.NETServiceMethod]

And rolling up the log, it seems every parsing error is caused because of this error.

[dgunter]

@joaociocca: I'm going to try to run this down this week. If you do have any more context you can share or are hitting any other issues, let me know.

[dgunter]

Checking to see if I can recreate the issue with any of the system logs from: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES

[joaociocca]

I remember the EVTX weren't enhanced by Sysmon, and they came from Application.evtx, Security.evtx and System.evtx. Sadly, since my investigation ended, I no longer have access to those files.

Also, dunno if you or anyone else would find it useful, but I made a little bulk loader! My first attempt at a Python script: https://github.com/joaociocca/evtxtoelk/blob/master/bulkevtx.py