EVTX
- 12 Jun 2025
- 2 Minutes to read
- Print
- DarkLight
EVTX
- Updated on 12 Jun 2025
- 2 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Overview
This Adapter allows you to ingest and convert a .evtx
file into LimaCharlie. The .evtx
files are the binary format used by Microsoft for Windows Event Logs. This is useful to ingest historical Windows Event Logs, for example during an Incident Response (IR) engagement.
For real-time collection of Windows Event Logs, see the Windows Event Logs documentation.
Configurations
Adapter Type: evtx
client_options
: common configuration for adapter as defined here.file_path
: path to the.evtx
file to ingest.
Infrastructure as Code Deployment
# EVTX Specific Docs: https://docs.limacharlie.io/docs/adapter-types-evtx
sensor_type: "file"
evtx:
write_timeout_sec: 10 # (optional) Timeout in seconds for writing data. e.g., 10 or null.
file_path: "/mnt/forensic_exports/evtx_logs/System.evtx" # (required) Path to the EVTX file or a directory containing EVTX files.
client_options:
identity:
oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
installation_key: "YOUR_LC_INSTALLATION_KEY_EVTX" # (required) Installation key associated with the OID.
# Hostname representing the source of the EVTX files or the analysis machine.
hostname: "forensic-analysis-vm.internal" # (required)
# Platform can be used to signify the origin of the EVTX data.
platform: "windows_evtx_import" # (required) A platform name indicating EVTX data source.
architecture: null # (optional) Not directly relevant for file import unless specifying original system arch.
mapping:
# EVTX files are binary structured; the adapter parses them into JSON. parsing_re is null.
parsing_re: null
# (optional) LimaCharlie typically creates a unique ID like 'winlog.event_id_record_id_pair'.
sensor_key_path: "winlog.event_id_record_id_pair"
# (optional) Can extract original computer name from EVTX record if desired, otherwise uses client_options.hostname.
sensor_hostname_path: "winlog.computer_name"
# (optional) Example: "EVTX_SECURITY_4624", "EVTX_SYSTEM_7045".
event_type_path: "EVTX_{{ .winlog.channel | token | upper }}_{{ .winlog.event_id }}"
# (optional) LimaCharlie standard field for EVTX event timestamp.
event_time_path: "winlog.timestamp"
# (optional) JSON path for a field to populate LimaCharlie's investigation_id.
investigation_id_path: "winlog.event_data.RelatedActivityID" # Example for some event types.
# (optional) Use +/- syntax for transforms.
transform:
"+data_source_description": "Imported_Windows_EVTX_File"
"+evtx_original_computer_name": "{{ .winlog.computer_name }}"
"+evtx_provider_name": "{{ .winlog.provider_name }}"
"-winlog.original_xml_payload": null # If the full XML is too verbose after JSON conversion.
# (optional) A list of field paths to drop.
drop_fields:
- "winlog.keywords_displaynames" # Can be verbose
- "winlog.user_data_raw"
# (optional) JSON path to a field containing a Windows SID to replicate to other SID fields in LimaCharlie.
sid_replication_path: "winlog.event_data.TargetUserSid" # Common for many security events.
# mappings: null
indexing:
enabled: true
# Example: index by original EVTX channel and org
default_index: "evtx-{{ .winlog.channel | lower | default \"data\" }}-{{ .identity.oid | substr 0 8 }}"
is_compressed: false # (optional) The adapter reads EVTX files directly; they are binary, not typically gzipped in a way this adapter would decompress.
sensor_seed_key: "SEED_KEY_EVTX_ADAPTER_001" # (required)
dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
API Doc
See the unofficial documentation on EVTX.
Was this article helpful?