Elastic.Flows.Upload | Windows.EventLogs.Evtx

[Walishaha]

Hi team,

I am trying to use the VR server artifact "Elastic.Flows.Upload" to upload the collected Windows events logs via the artifact "Windows.EventLogs.Evtx". For some reason, I can see all the Windows event log types except the "security.evtx" in Elastic.

I checked the data store of VR "/opt/velociraptor/clients/ClientID/artifacts/Windows.EventLogs.Evtx# and I can see the security logs were collected along with all the other Windows event logs.

Can you please let me know if this is a known issue or what the problem may be causing this?

Many Thanks.

[scudette]

The Elastic.Flows.Upload artifact takes each row of a collected artifact and uploads it to an index in elastic of a name determined by the name of the artifact.

Normally we don't need to create a mapping in elastic ( this is basically what a schema is called in elastic) because elastic looks at the first row and tries to guess a suitable mapping by looking at the types of the columns.

This works well for artifacts that have a consistent output because each column will have the same types for all the columns.

This does not work for an event log artifact because the event data is different for each single event. So what happens is that the first event will create the index in a particular schema then the next event we try to upload will fail because the event data may have a conflicting schema.

You probably need to think about what you need elastic for in this instance. Do you need to upload the event data as a structured object? or maybe just upload the raw Json of it as a searchable blob? That's what I would do I think.

Then in elastic you would just search for the message string as a full text search and read the Json of the event data or maybe just search that Json directly.

[Walishaha]

Thank you Mike for the quick response. I got what you mean.

Just a question there, is there a way to upload raw json as a blob?

[scudette]

Yeah you can just serialize the data using the serialize() function

https://docs.velociraptor.app/vql_reference/basic/serialize/

You can quickly modify the elastic upload artifact to massage the data from the event logs specially and upload to elastic in a specific format