so-import-evtx = Command not found & looking for a mass syslog importer

[wilmerism]

Hi all, after some pointers please..

Brand new install using securityonion-2.3.110-20220407.iso
so-import-pcap works fine, got my stuff in, however its not having it with windows event logs

[xx@securityonion ~]$ sudo so-import-evtx
sudo: so-import-evtx: command not found
[xx@securityonion ~]$

I have googled this to death, has the command been replaced at all?

Also i have a load of syslogs in for form on date-syslog.txt any tools around for quick import please?

Thanks in advance

[dougburks]

so-import-evtx seems to work for me:

sudo so-import-evtx
Usage: /sbin/so-import-evtx <evtx-file-1> [evtx-file-2] [evtx-file-*]

Imports one or more evtx files into Security Onion. The evtx files will be analyzed and made available for review in the Security Onion toolset.

What options did you choose during installation?

What is the output of the following?

ls -alh /usr/sbin/so-import*

[wilmerism]

Thanks for coming back, we just had the Easter break here in UK - Install option(that blue box with 4 to choose) I chose "import"

results =
[[root@securityonion simon]#
[root@securityonion simon]# ls -alh /usr/sbin/so-import*
-rwxr-xr-x. 1 root root 7.2K Apr 12 08:48 /usr/sbin/so-import-pcap
[root@securityonion simon]# sudo so-import-evtx
sudo: so-import-evtx: command not found
[root@securityonion simon]# so-import-evtx
bash: so-import-evtx: command not found
[root@securityonion simon]# so-import-pcap
Usage: /sbin/so-import-pcap [pcap-file-2] [pcap-file-N]

Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and made available for review in the Security Onion toolset.
[root@securityonion simon]#

Ive done a new install and the command works when mode is production.
Any word on a mass import? ( I have 60 syslog text files & 20 evtx's to import)

[dougburks]

I've tested again and can confirm that 2.3.110-20220407 in IMPORT mode does include so-import-evtx for me:

[doug@securityonion ~]$ cat /etc/soversion
2.3.110
[doug@securityonion ~]$ ls -alh /usr/sbin/so-import-*
-rwxr-xr-x. 1 root root 5.1K Apr 20 11:34 /usr/sbin/so-import-evtx
-rwxr-xr-x. 1 root root 7.4K Apr 20 11:34 /usr/sbin/so-import-pcap

Is it possible you accidentally installed an older ISO image?

What is the output of the following?

cat /etc/soversion

Have you tried a second installation of 2.3.110-20220407 in IMPORT mode?

Any word on a mass import? ( I have 60 syslog text files & 20 evtx's to import)

Once you get so-import-evtx working, you should be able to use wildcards to import multiple evtx files at one time.

For standard syslog, you might be able to add Filebeat inputs to consume them:
https://docs.securityonion.net/en/2.3/filebeat.html#configuration

[wilmerism]

Afternoon,

I reinstalled my 2.3.110-20220407 then still the same

Then i tried a V 2.3.20 as standard mode on a new different VM and still had issue

Finally a new 2.3.110-20220407 on a new VM and all is now working fine....
Most odd..

many thanks