From 85d2fe1693005be69b0b1eea9e7d18134c5bbfa3 Mon Sep 17 00:00:00 2001 From: Jose Alonso Cardenas Marquez Date: Sun, 30 Apr 2023 16:33:08 -0500 Subject: [PATCH] textproc/py-evtx2splunk: New port: Evtx to Splunk ingestor Ingest EVTX files into a Splunk instance. This tool is based on the work of : Omer BenAmram Blardy Thanks to Ekto for its contribution. Key features: - Splunk HEC support with token auto-creation - Splunk index auto-creation - Multiprocessing support - Caching for evtx reuse without reconverting - Windows and Linux compatibility - Rely on the great and fast evtx_dump Rust tool of Omer - Evtx message resolutions from database Note: evtx2splunk converts the EVTX to JSON and stores them in a temporary place. Hence, up to the size of source EVTX can be created during the process. These files are removed at the end of the process, except if keep_cache is enabled. --- textproc/Makefile | 1 + textproc/py-evtx2splunk/Makefile | 34 +++++++++++++++++++++++++++++++ textproc/py-evtx2splunk/distinfo | 3 +++ textproc/py-evtx2splunk/pkg-descr | 22 ++++++++++++++++++++ 4 files changed, 60 insertions(+) create mode 100644 textproc/py-evtx2splunk/Makefile create mode 100644 textproc/py-evtx2splunk/distinfo create mode 100644 textproc/py-evtx2splunk/pkg-descr diff --git a/textproc/Makefile b/textproc/Makefile index 9893cd0fb420..4c302336717a 100644 --- a/textproc/Makefile +++ b/textproc/Makefile @@ -1340,6 +1340,7 @@ SUBDIR += py-enchant SUBDIR += py-enrich SUBDIR += py-et_xmlfile + SUBDIR += py-evtx2splunk SUBDIR += py-extract-msg SUBDIR += py-fastavro SUBDIR += py-feedparser diff --git a/textproc/py-evtx2splunk/Makefile b/textproc/py-evtx2splunk/Makefile new file mode 100644 index 000000000000..fd916b2a396a --- /dev/null +++ b/textproc/py-evtx2splunk/Makefile @@ -0,0 +1,34 @@ +PORTNAME= evtx2splunk +PORTVERSION= 2.0.1 +CATEGORIES= textproc python +PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} + +MAINTAINER= acm@FreeBSD.org +COMMENT= Evtx to Splunk ingestor +WWW= https://github.com/whikernel/evtx2splunk + +LICENSE= MIT + +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}certifi>0:security/py-certifi@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}chardet>0:textproc/py-chardet@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}idna>0:dns/py-idna@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}python-dotenv>0:www/py-python-dotenv@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}requests>0:www/py-requests@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}semantic-version>0:devel/py-semantic-version@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}urllib3>0:net/py-urllib3@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}toml>0:textproc/py-toml@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}tqdm>0:misc/py-tqdm@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}splunk-hec>0:textproc/py-splunk-hec@${PY_FLAVOR} \ + fd-find>0:sysutils/fd \ + evtx>0:textproc/evtx + +USE_GITHUB= yes +GH_ACCOUNT= whikernel +GH_TAGNAME= 12bfda6cdd83ae392df9303d0140a2eaa936a62f + +USES= python:3.8+ +USE_PYTHON= autoplist distutils + +NO_ARCH= yes + +.include diff --git a/textproc/py-evtx2splunk/distinfo b/textproc/py-evtx2splunk/distinfo new file mode 100644 index 000000000000..3ad4744a248e --- /dev/null +++ b/textproc/py-evtx2splunk/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1682884324 +SHA256 (whikernel-evtx2splunk-2.0.1-12bfda6cdd83ae392df9303d0140a2eaa936a62f_GH0.tar.gz) = a203a63d063d004975ac5d928030188501e119bc63dc6f995644f9aa1577a36c +SIZE (whikernel-evtx2splunk-2.0.1-12bfda6cdd83ae392df9303d0140a2eaa936a62f_GH0.tar.gz) = 7116809 diff --git a/textproc/py-evtx2splunk/pkg-descr b/textproc/py-evtx2splunk/pkg-descr new file mode 100644 index 000000000000..805459be1170 --- /dev/null +++ b/textproc/py-evtx2splunk/pkg-descr @@ -0,0 +1,22 @@ +Ingest EVTX files into a Splunk instance. + +This tool is based on the work of : + +Omer BenAmram +Blardy +Thanks to Ekto for its contribution. + +Key features: + +- Splunk HEC support with token auto-creation +- Splunk index auto-creation +- Multiprocessing support +- Caching for evtx reuse without reconverting +- Windows and Linux compatibility +- Rely on the great and fast evtx_dump Rust tool of Omer +- Evtx message resolutions from database + +Note: evtx2splunk converts the EVTX to JSON and stores them in a temporary +place. Hence, up to the size of source EVTX can be created during the process. +These files are removed at the end of the process, except if keep_cache is +enabled.