{"id":13845649,"url":"https://github.com/sumeshi/evtx2es","last_synced_at":"2025-12-25T16:58:16.600Z","repository":{"id":37776987,"uuid":"213001702","full_name":"sumeshi/evtx2es","owner":"sumeshi","description":"A library for fast parse \u0026 import of Windows Eventlogs into Elasticsearch.","archived":false,"fork":false,"pushed_at":"2024-06-28T18:11:37.000Z","size":183,"stargazers_count":80,"open_issues_count":2,"forks_count":19,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-11-09T09:11:46.128Z","etag":null,"topics":["elasticsearch","eventlog","evtx","parser","python","windows"],"latest_commit_sha":null,"homepage":"https://pypi.org/project/evtx2es/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sumeshi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-05T13:11:30.000Z","updated_at":"2024-11-06T17:41:46.000Z","dependencies_parsed_at":"2024-05-28T22:54:33.124Z","dependency_job_id":"b1f788f0-7b93-49b6-90c0-e96c3a73a183","html_url":"https://github.com/sumeshi/evtx2es","commit_stats":{"total_commits":105,"total_committers":7,"mean_commits":15.0,"dds":0.2761904761904762,"last_synced_commit":"5654cce29f60a0adf1e8a2ee1a53085dccf3aa4b"},"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sumeshi%2Fevtx2es","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sumeshi%2Fevtx2es/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sumeshi%2Fevtx2es/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sumeshi%2Fevtx2es/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sumeshi","download_url":"https://codeload.github.com/sumeshi/evtx2es/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225791371,"owners_count":17524772,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elasticsearch","eventlog","evtx","parser","python","windows"],"created_at":"2024-08-04T17:03:31.688Z","updated_at":"2025-12-25T16:58:16.536Z","avatar_url":"https://github.com/sumeshi.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# evtx2es\n\n[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE)\n[![PyPI version](https://badge.fury.io/py/evtx2es.svg)](https://badge.fury.io/py/evtx2es)\n[![Python Versions](https://img.shields.io/pypi/pyversions/evtx2es.svg)](https://pypi.org/project/evtx2es/)\n[![pytest](https://github.com/sumeshi/evtx2es/actions/workflows/test.yaml/badge.svg)](https://github.com/sumeshi/evtx2es/actions/workflows/test.yaml)\n\n![evtx2es logo](https://gist.githubusercontent.com/sumeshi/c2f430d352ae763273faadf9616a29e5/raw/1bf24feb55571bf7f0c7d8d4cb04bd0a511120f2/evtx2es.svg)\n\nA library for fast parse \u0026 import of Windows Eventlogs into Elasticsearch.\n\nLife is too short to process **huge Windows Eventlogs** with **pure Python**.  \n**evtx2es** uses the Rust library [pyevtx-rs](https://github.com/omerbenamram/pyevtx-rs), making it much faster than traditional tools.\n\n## Usage\n\n**evtx2es** can be executed from the command line or incorporated into a Python script.\n\n```bash\n$ evtx2es /path/to/your/file.evtx\n```\n\n```python\nfrom evtx2es import evtx2es\n\nif __name__ == '__main__':\n  filepath = '/path/to/your/file.evtx'\n  evtx2es(filepath)\n```\n\n### Arguments\n\nevtx2es supports simultaneous import of multiple files.\n\n```bash\n$ evtx2es file1.evtx file2.evtx file3.evtx\n```\n\nIt also allows recursive import from the specified directory.\n\n```bash\n$ tree .\nevtxfiles/\n  ├── file1.evtx\n  ├── file2.evtx\n  ├── file3.evtx\n  └── subdirectory/\n    ├── file4.evtx\n    └── subsubdirectory/\n      ├── file5.evtx\n      └── file6.evtx\n\n$ evtx2es /evtxfiles/ # The path is recursively expanded to file1~6.evtx.\n```\n\n### Options\n\n```\n--version, -v\n\n--help, -h\n\n--quiet, -q\n  Suppress standard output\n  (default: False)\n\n--multiprocess, -m:\n  Enable multiprocessing for faster execution\n  (default: False)\n\n--size:\n  Chunk size for processing (default: 500)\n\n--host:\n  Elasticsearch host address (default: localhost)\n\n--port:\n  Elasticsearch port number (default: 9200)\n\n--index:\n  Destination index name (default: evtx2es)\n\n--scheme:\n  Protocol scheme to use (http or https) (default: http)\n\n--pipeline:\n  Elasticsearch Ingest Pipeline to use (default: )\n\n--datasetdate:\n  Date of the latest record in the dataset, extracted from TimeCreated field (MM/DD/YYYY.HH:MM:SS) (default: 0)\n\n--login:\n  The login to use if Elastic Security is enabled (default: )\n\n--pwd:\n  The password associated with the provided login (default: )\n```\n\n### Examples\n\nWhen using from the command line:\n\n```\n$ evtx2es /path/to/your/file.evtx --host=localhost --port=9200 --index=foobar --size=500\n```\n\nWhen using from a Python script:\n\n```py\nif __name__ == '__main__':\n    evtx2es('/path/to/your/file.evtx', host=localhost, port=9200, index='foobar', size=500)\n```\n\nWith credentials for Elastic Security:\n\n```\n$ evtx2es /path/to/your/file.evtx --host=localhost --port=9200 --index=foobar --login=elastic --pwd=******\n```\n\nNote: The current version does not verify the certificate.\n\n\n## Appendix\n\n### Evtx2json\n\nAn additional feature: :sushi: :sushi: :sushi:\n\nConvert Windows Event Logs to a JSON file.\n\n```bash\n$ evtx2json /path/to/your/file.evtx /path/to/output/target.json\n```\n\nConvert Windows Event Logs to a Python List[dict] object.\n\n```python\nfrom evtx2es import evtx2json\n\nif __name__ == '__main__':\n  filepath = '/path/to/your/file.evtx'\n  result: List[dict] = evtx2json(filepath)\n```\n\n## Output Format Example\n\nUsing the sample evtx file of [JPCERT/CC:LogonTracer](https://github.com/JPCERTCC/LogonTracer) as an example.\n\n```\n[\n  {\n    \"@timestamp\": \"2016-10-06T01:47:07.509504Z\",\n    \"event\": {\n      \"action\": \"eventlog-security-1102\",\n      \"category\": [\n        \"host\"\n      ],\n      \"type\": [\n        \"info\"\n      ],\n      \"kind\": \"event\",\n      \"provider\": \"microsoft-windows-eventlog\",\n      \"module\": \"windows\",\n      \"dataset\": \"windows.eventlog\",\n      \"code\": 1102,\n      \"created\": \"2016-10-06T01:47:07.509504Z\"\n    },\n    \"winlog\": {\n      \"channel\": \"Security\",\n      \"computer_name\": \"WIN-WFBHIBE5GXZ.example.co.jp\",\n      \"event_id\": 1102,\n      \"opcode\": 0,\n      \"record_id\": 227126,\n      \"task\": 104,\n      \"version\": 0,\n      \"provider\": {\n        \"name\": \"Microsoft-Windows-Eventlog\",\n        \"guid\": \"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}\"\n      }\n    },\n    \"userdata\": {\n      \"LogFileCleared\": {\n        \"#attributes\": {\n          \"xmlns:auto-ns3\": \"http://schemas.microsoft.com/win/2004/08/events\",\n          \"xmlns\": \"http://manifests.microsoft.com/win/2004/08/windows/eventlog\"\n        },\n        \"SubjectUserSid\": \"S-1-5-21-1524084746-3249201829-3114449661-500\",\n        \"SubjectUserName\": \"Administrator\",\n        \"SubjectDomainName\": \"EXAMPLE\",\n        \"SubjectLogonId\": \"0x32cfb\"\n      }\n    },\n    \"process\": {\n      \"pid\": 960,\n      \"thread\": {\n        \"id\": 3020\n      }\n    },\n    \"log\": {\n      \"file\": {\n        \"path\": \"/path/to/your/Security.evtx\"\n      }\n    },\n    \"tags\": [\n      \"eventlog\"\n    ]\n  },\n  ...\n]\n```\n\n## Performance Evaluations (v1.8.0)\n\nevtx2es was evaluated using the sample evtx file of [JPCERT/CC:LogonTracer](https://github.com/JPCERTCC/LogonTracer) (about 30MB binary data).\n\n```.bash\n$ time uv run evtx2es Security.evtx \nCurrently Importing Security.evtx.\n1it [00:08,  8.09s/it]\nBulk import completed: 1 batches processed\nSuccessfully indexed: 62031 documents\nImport completed.\n\n________________________________________________________\nExecuted in    8.60 secs    fish           external\n   usr time    4.85 secs  481.00 micros    4.85 secs\n   sys time    0.40 secs    0.00 micros    0.40 secs\n```\n\n### Running Environment\n\n```\nOS: Ubuntu 20.04 (Dev Container on WSL2)\nCPU: Intel Core i5-12400F\nRAM: DDR4 32GB\n```\n\nPerformance evaluation was conducted using the provided dev container environment with Elasticsearch 9.0.2 running in Docker (Official Image).  \nhttps://hub.docker.com/_/elasticsearch\n\n## Installation\n\n### from PyPI\n\n```\n$ pip install evtx2es\n```\n\n### with uv\n\n```\n$ uv add evtx2es\n```\n\n### from GitHub Releases\n\nThe version compiled into a binary using Nuitka is also available for use.\n\n```bash\n$ chmod +x ./evtx2es\n$ ./evtx2es {{options...}}\n```\n\n```powershell\n\u003e evtx2es.exe {{options...}}\n```\n\n## Contributing\n\nThe source code for evtx2es is hosted on GitHub. You can download, fork, and review it from this repository: https://github.com/sumeshi/evtx2es.\nPlease report issues and feature requests. :sushi: :sushi: :sushi:\n\n## Included in\n\n- [Tsurugi Linux [Lab] 2022 - 2024](https://tsurugi-linux.org/) - DFIR Linux distribution\n\nThank you for your interest in evtx2es!\n\n## License\n\nevtx2es is released under the [MIT](https://github.com/sumeshi/evtx2es/blob/master/LICENSE) License.\n\nPowered by following libraries:\n- [pyevtx-rs](https://github.com/omerbenamram/pyevtx-rs)\n- [Nuitka](https://github.com/Nuitka/Nuitka)\n\nInspired by [EvtxtoElk](https://github.com/dgunter/evtxtoelk).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsumeshi%2Fevtx2es","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsumeshi%2Fevtx2es","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsumeshi%2Fevtx2es/lists"}