Tool to convert Audit Logs from XML to EVTX Format

by snagesh Former NetApp Employee on ‎2013-10-22 11:28 PM

Overview

Clustered Data ONTAP supports file auditing through Native auditing framework. Native auditing supports file access auditing in both CIFS and NFS one can find more information in the blog. This framework generates audit events similar to Windows Event logging framework and generates logs as plain XML text. In Windows EVTX is the default logging format from Vista and W2k8 onwards. Windows allows viewing and analyzing logs through Microsoft Windows Event Viewer if the logs are in EVTX format. To overcome this limitation NetApp provides an off-box, windows compatible, tool that converts the plain text XML log file into EVTX file.

The tool can be downloaded from NetApp Support site. Users can freely download the tool using support user ID and credentials. The conversion is on best effort basis and NetApp doesn't assure accuracy or completeness of the solution. Support to the tool is only through the CIFS/SMB community; start discussion in the community for clarifications or support.

Installation Requirements

These requirements need to be take care before the Installation

Supported platforms

Operating System:                    Windows Vista and above

Windows Server:                       Windows server 2008 and above
Prerequisite for installation

Microsoft .Net Framework:        V3.5 and above

After downloading the Setup file and meeting the Installation requirements initiate the installation by double clicking on the installable.  Default the tool NetApp EVTX Converter will be installed under NetApp\EVTX Converter folder but can be changed during the setup.

The installation will install both the GUI as well as Command Line tools


Executing the Tool

Input File in plain text XML format can be converted to binary EVTX file either using the GUI or the command line interface.

Converting using GUI interface

GUI is highly intuitive and simple to use. It takes single file input in Input file and converts that into an EVTX file at a location specified in Output File.

button will help to browse to the input or Output file location. The location can be either local or remote. Conversion process is triggered when Convert button is clicked. Progress bar will display that conversion process is in-place. Conversion time depends on the log file size and on the file location.

Converting using CLI interface

This is useful if you want to script the conversion activity. The executable is evtx_win. The command has a help (-h) option that explains how to use the command

After the conversion it will show number of events converted and conversion status: success or failure

Viewing the EVTX file

EVTX files can be viewed using the Microsoft Windows Event Viewer. EVTX format is supported in Windows Vista/Windows server 2008 and above. You can view the logs by opening it as a file in the Event Viewer


Currently viewing the log information in the general-tab is partially supported. We are working on providing additional libraries (dlls) that will help overcome the limitation

Solution considerations

  • The tool is tested with large XML log files (~200MB) and has worked seamlessly.
  • The output directory should have write permissions.
  • The output directory should have enough free space: twice the size of input file. This is necessary because the application creates a temporary xml file in the output directory and deletes it after the conversion.
  • When multiple instances of the tool are running, the destination/target directory of each instance should be kept different.
  • If the EVTX file is already opened by Event Viewer conversion process should not be started with the opened file as Output File

Warning!

This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.