Description:

Parses the contents of a Windows Event Log file (evtx) and writes the resulting XML to the FlowFile

Tags:

logs, windows, event, evtx, message, file

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values.

Name Default Value Allowable Values Description
Granularity Chunk *Record *Chunk *File Output flow file for each Record, Chunk, or File encountered in the event log

Relationships:

Name Description
success Any FlowFile that was successfully converted from evtx to XML
failure Any FlowFile that encountered an exception during conversion will be transferred to this relationship with as much parsing as possible done
bad chunk Any bad chunks of records will be transferred to this relationship in their original binary form
original The unmodified input FlowFile will be transferred to this relationship

Reads Attributes:

Name Description
filename The filename of the evtx file

Writes Attributes:

Name Description
filename The output filename
mime.type The output file type (application/xml for success and failure relationships, original value for bad chunk and original relationships)

State management:

This component does not store state.

Restricted:

This component is not restricted.

Summary:

This processor is used to parse Windows event logs in the binary evtx format. The input flow files’ content should be evtx files. The processor has 4 outputs:

  • The original unmodified FlowFile

  • The XML resulting from parsing at the configured granularity

  • Failed parsing with partial output

  • Malformed chunk in binary form

Output XML Example:

7036 0 4 0 0 0x8080000000000000 780 System win7-pro-vm Workstation running TABhAG4AbQBhAG4AVwBvAHIAawBzAHQAYQB0AGkAbwBuAC8ANAAAAA== 7036 0 4 0 0 0x8080000000000000 781 System win7-pro-vm Cryptographic Services running QwByAHkAcAB0AFMAdgBjAC8ANAAAAA==