EVTX file content not shown in graphs #15370

viris · 2026-01-09T17:27:30Z

viris
Jan 9, 2026

Version

2.4.200

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Import

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

64GB

Storage for /

1 TB

Storage for /nsm

500 GB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I am trying to import Security EVTX file, but there is no sign of data beeing imported.

I see, that hash ID for each import is generated and there is data covnerted from evtx to json in /nsm/import/hash/evtx/data.json.

But there is no import.

And there is no documentation where to look or how to import then manually.

I tried to upload evtx from cmdline and also over the Grid option.

Any clues where to look or how to troubleshoot?

Thanks!

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

dwal08 · 2026-01-11T14:09:12Z

dwal08
Jan 11, 2026

Have you tried to open up your time range in Kibana, and search on the import.id? I was messing around with it last month and was troubleshooting some timestamp inconsistencies between event creation and import.

There are some screen shots where I tracked form import through search. You can also check the index / a document to make sure your data is being parsed properly.

0 replies

LunchMunchy · 2026-03-16T13:55:56Z

LunchMunchy
Mar 16, 2026

@viris I'm having the same issue. I'm using an Import Node in a VMWare instance with more than minimum hardware specs (12GB RAM, 4 Cores, 300GB for /). When I upload an evtx to my import, I see no data populate in either my security onion instance or Elastic. @dwal08 even when searching through my indices, it seems like Security Onion only generates a hash of the evtx file for the directory name and converts it to .json without actually creating any queryable logs. Has anyone else encountered this issue?

1 reply

cm-ops Mar 17, 2026
Maintainer

Is there anything of note in /nsm/import/evtx-import.log?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

EVTX file content not shown in graphs #15370

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

EVTX file content not shown in graphs #15370

Uh oh!

viris Jan 9, 2026

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 1 reply

Uh oh!

Uh oh!

dwal08 Jan 11, 2026

Uh oh!

LunchMunchy Mar 16, 2026

Uh oh!

cm-ops Mar 17, 2026 Maintainer

viris
Jan 9, 2026

Replies: 2 comments 1 reply

dwal08
Jan 11, 2026

LunchMunchy
Mar 16, 2026

cm-ops Mar 17, 2026
Maintainer