{"id":22021924,"url":"https://github.com/knightchaser/sentinela","last_synced_at":"2026-05-09T02:09:24.786Z","repository":{"id":218862771,"uuid":"747469895","full_name":"KnightChaser/sentinela","owner":"KnightChaser","description":"A simplified EVTX file parser wrapping 0xrawsec's golang-evtx module","archived":false,"fork":false,"pushed_at":"2024-02-27T03:03:28.000Z","size":25,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-23T10:26:53.285Z","etag":null,"topics":["evtx","go","opensource","parsing","sysmon"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KnightChaser.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-24T01:39:34.000Z","updated_at":"2024-01-26T08:05:07.000Z","dependencies_parsed_at":"2024-01-24T08:27:24.010Z","dependency_job_id":"e19c23b4-aa3f-484a-8feb-dc4c4fef8765","html_url":"https://github.com/KnightChaser/sentinela","commit_stats":null,"previous_names":["knightchaser/sentinela"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/KnightChaser/sentinela","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KnightChaser%2Fsentinela","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KnightChaser%2Fsentinela/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KnightChaser%2Fsentinela/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KnightChaser%2Fsentinela/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KnightChaser","download_url":"https://codeload.github.com/KnightChaser/sentinela/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KnightChaser%2Fsentinela/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270781393,"owners_count":24643820,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-16T02:00:11.002Z","response_time":91,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["evtx","go","opensource","parsing","sysmon"],"created_at":"2024-11-30T06:16:18.974Z","updated_at":"2025-10-07T16:54:01.786Z","avatar_url":"https://github.com/KnightChaser.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sentinela\n### A simplified EVTX file parser wrapping `0xrawsec`'s `golang-evtx` module\n\u003e Parse **EVTX** file to **JSON**\n\n## Install\n```powershell\ngo get -u \"https://github.com/KnightChaser/sentinela\"\n```\n\n## Example Usage\n- Import `sentinela`\n- Prepare a **filepath** of target EVTX file(`*.evtx`). In case of Sysmon(System Monitor) running on Windows, the filepath will be `C:/Windows/System32/winevt/Logs/icrosoft-Windows-Sysmon%4Operational.evtx` generally.\n- call `sentinela.ParseEVTX()` to parse the given EVTX file. It will return the list of JSONified text of EVTX event element in the struct `sentinela.SysmonEventStats.Event`. Because parsed data is type of `JSON`, you can easily integrate with Golang JSON module like `gjson`(Go JSON). \n```go\n// SysmonEventStats represents the statistics for a particular event.\ntype SysmonEventStats struct {\n\tEvent []string // Parsed representation of the events\n}\n```\n\n- **Example code**\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"log\"\n\n\t\"github.com/KnightChaser/sentinela\"\n\t\"github.com/tidwall/gjson\"\n)\n\nfunc main() {\n  // Sysmon(System Monitor) log file in Windows\n\tdefaultWindowsLogDirectory := \"C:/Windows/System32/winevt/Logs/\"\n\tevtxFileName := \"Microsoft-Windows-Sysmon%4Operational.evtx\"\n\tsysmonEvtxFile := fmt.Sprintf(\"%s%s\", defaultWindowsLogDirectory, evtxFileName)\n\n\tstats, err := sentinela.ParseEVTX(sysmonEvtxFile)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\t// Display the statistics\n\tfor _, stat := range stats.Event {\n\t\tfmt.Println(gjson.Get(stat, \"Event.System\"))\n\t\tfmt.Println(\"=========================================================================\")\n\t}\n}\n```\n- **The output of example code**\n```\nPS C:\\Users\\3NR1QUE\\Downloads\\test\u003e go run main.go\n{\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"Klojure\",\"Correlation\":{},\"EventID\":\"10\",\"EventRecordID\":\"408269\",\"Execution\":{\"ProcessID\":\"7332\",\"ThreadID\":\"9404\"},\"Keywords\":\"0x8000000000000000\",\"Level\":\"4\",\"Opcode\":\"0\",\"Provider\":{\"Guid\":\"5770385F-C22A-43E0-BF4C-06F5698FFBD9\",\"Name\":\"Microsoft-Windows-Sysmon\"},\"Security\":{\"UserID\":\"S-1-5-18\"},\"Task\":\"10\",\"TimeCreated\":{\"SystemTime\":\"2024-01-25T03:36:31.8616887Z\"},\"Version\":\"3\"}\n=========================================================================\n(The rest of Sysmon event will be printed as Jsonified struct...)\n```\n\n## Note for Sysmon EVTX parsing\nBecause `sentinela` is a wrapper module of `0xrawsec`'s `golang-evtx` for simplicity, the parsed EVTX event will have a form of `golang-evtx`. It will have form like below. A single Sysmon event in EVTX log file has a struct of `Event` which has `EventData`(Structure is different depending on the `EventID`) and `System`(The common system data for every event). You can take a look at `sysmonEventReference.go` to view EVTX struct in every possible Sysmon event.\n\u003e Parsed **Sysmon EVTX file(`Microsoft-Windows-Sysmon%4Operational.evtx`)** will look like below. The below example is an event whose `eventID` is `13`, meaning \"RegistryEvent, Value set\".\n```json\n\n{\n  \"Event\": {\n    \"EventData\": {\n      \"Details\": \"Binary Data\",\n      \"EventType\": \"SetValue\",\n      \"Image\": \"C:\\\\Users\\\\3NR1QUE\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-3.3.8\\\\resources\\\\app\\\\git\\\\cmd\\\\git.exe\",\n      \"ProcessGuid\": \"0B7407AF-DD5F-65B1-F51C-000000009101\",\n      \"ProcessId\": \"41580\",\n      \"RuleName\": \"-\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\bam\\\\State\\\\UserSettings\\\\S-1-5-21-1836537592-2113019385-3592195212-1001\\\\\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\conhost.exe\",\n      \"User\": \"KLOJURE\\\\LUEX\",\n      \"UtcTime\": \"2024-01-25 04:02:39.777\"\n    },\n    \"System\": {\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"Klojure\",\n      \"Correlation\": {},\n      \"EventID\": \"13\",\n      \"EventRecordID\": \"421022\",\n      \"Execution\": {\n        \"ProcessID\": \"7332\",\n        \"ThreadID\": \"9404\"\n      },\n      \"Keywords\": \"0x8000000000000000\",\n      \"Level\": \"4\",\n      \"Opcode\": \"0\",\n      \"Provider\": {\n        \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\",\n        \"Name\": \"Microsoft-Windows-Sysmon\"\n      },\n      \"Security\": {\n        \"UserID\": \"S-1-5-18\"\n      },\n      \"Task\": \"13\",\n      \"TimeCreated\": {\n        \"SystemTime\": \"2024-01-25T04:02:39.7802812Z\"\n      },\n      \"Version\": \"2\"\n    }\n  }\n}\n```\n\nOr you can just export EVTX file to JSON file directly.\n```go\npackage main\n\nimport (\n\t\"github.com/KnightChaser/sentinela\"\n)\n\nfunc main() {\n\tsentinela.ParseEVTXtoJSON(\"C:\\\\Users\\\\3NR1QUE\\\\Downloads\\\\example_000.evtx\",\n\t\t\"C:\\\\Users\\\\3NR1QUE\\\\Downloads\\\\example_000_sentinela_converted.json\")\n}\n\n```\n\n## (TIP) Install Sysmon\n- Go to official Sysinternals webpage and download Sysmon\u003cbr\u003e\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sysmon\n- Prepare your own `config.xml` for Sysmon or use recommended Sysmon modular configuration file\n```powershell\nInvoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile C:\\Windows\\config.xml\n```\n- Start Sysmon with the prepared configuration file.\n```powershell\n./Sysmon64.exe –accepteula –i C:\\Windows\\config.xml   # 64 bits\n./Sysmon.exe -accepteula -i C:\\Windows\\config.xml     # 32 bits\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknightchaser%2Fsentinela","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fknightchaser%2Fsentinela","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknightchaser%2Fsentinela/lists"}