ParseEvtx 2.0.0

Bundle
org.apache.nifi | nifi-evtx-nar
Description
Parses the contents of a Windows Event Log file (evtx) and writes the resulting XML to the FlowFile
Tags
event, evtx, file, logs, message, windows
Input Requirement
REQUIRED
Supports Sensitive Dynamic Properties
false
  • Additional Details for ParseEvtx 2.0.0

    ParseEvtx

    Description:

    This processor is used to parse Windows event logs in the binary evtx format. The input flow files’ content should be evtx files. The processor has 4 outputs:

    • The original unmodified FlowFile
    • The XML resulting from parsing at the configured granularity
    • Failed parsing with partial output
    • Malformed chunk in binary form

    Output XML Example:

    <?xml version="1.0"?>
    <Events>
        <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
            <System>
                <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" Ev
                          entSourceName="Service Control Manager"/>
                <EventID Qualifiers="16384">7036</EventID>
                <Version>0</Version>
                <Level>4</Level>
                <Task>0</Task>
                <Opcode>0</Opcode>
                <Keywords>0x8080000000000000</Keywords>
                <TimeCreated SystemTime="2016-01-08 16:49:47.518"/>
                <EventRecordID>780</EventRecordID>
                <Correlation ActivityID="" RelatedActivityID=""/>
                <Execution ProcessID="480" ThreadID="596"/>
                <Channel>System</Channel>
                <Computer>win7-pro-vm</Computer>
                <Security UserID=""/>
            </System>
            <EventData>
                <Data Name="param1">Workstation</Data>
                <Data Name="param2">running</Data>
                <Binary>TABhAG4AbQBhAG4AVwBvAHIAawBzAHQAYQB0AGkAbwBuAC8ANAAAAA==</Binary>
            </EventData>
        </Event>
        <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
            <System>
                <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}"
                          EventSourceName="Service Control Manager"/>
                <EventID Qualifiers="16384">7036</EventID>
                <Version>0</Version>
                <Level>4</Level>
                <Task>0</Task>
                <Opcode>0</Opcode>
                <Keywords>0x8080000000000000</Keywords>
                <TimeCreated SystemTime="2016-01-08 16:49:47.535"/>
                <EventRecordID>781</EventRecordID>
                <Correlation ActivityID="" RelatedActivityID=""/>
                <Execution ProcessID="480" ThreadID="576"/>
                <Channel>System</Channel>
                <Computer>win7-pro-vm</Computer>
                <Security UserID=""/>
            </System>
            <EventData>
                <Data Name="param1">Cryptographic Services</Data>
                <Data Name="param2">running</Data>
                <Binary>QwByAHkAcAB0AFMAdgBjAC8ANAAAAA==</Binary>
            </EventData>
        </Event>
    </Events>
    
Properties
Relationships
Name Description
success Any FlowFile that was successfully converted from evtx to XML
failure Any FlowFile that encountered an exception during conversion will be transferred to this relationship with as much parsing as possible done
original The unmodified input FlowFile will be transferred to this relationship
bad chunk Any bad chunks of records will be transferred to this relationship in their original binary form
Reads Attributes
Name Description
filename The filename of the evtx file
Writes Attributes
Name Description
filename The output filename
mime.type The output filetype (application/xml for success and failure relationships, original value for bad chunk and original relationships)