Description:
Parses the contents of a Windows Event Log file (evtx) and writes the resulting XML to the FlowFile
Tags:
logs, windows, event, evtx, message, file
Properties:
In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.
Name | Default Value | Allowable Values | Description |
Granularity | Chunk | *Record *Chunk *File | Output flow file for each Record, Chunk, or File encountered in the event log |
Relationships:
Name | Description |
success | Any FlowFile that was successfully converted from evtx to XML |
failure | Any FlowFile that encountered an exception during conversion will be transferred to this relationship with as much parsing as possible done |
bad chunk | Any bad chunks of records will be transferred to this relationship in their original binary form |
original | The unmodified input FlowFile will be transferred to this relationship |
Reads Attributes:
Name | Description |
filename | The filename of the evtx file |
Writes Attributes:
Name | Description |
filename | The output filename |
mime.type | The output file type (application/xml for success and failure relationships, original value for bad chunk and original relationships) |
State management:
This component does not store state.
Restricted:
This component is not restricted.
Summary:
This processor is used to parse Windows event logs in the binary evtx format. The input flow files’ content should be evtx files. The processor has 4 outputs:
-
The original unmodified FlowFile
-
The XML resulting from parsing at the configured granularity
-
Failed parsing with partial output
-
Malformed chunk in binary form
Output XML Example:
|