Show correct dates and Kibana URL for already processed EVTX files

2025-12-06 17:22:49 +01:00 · 2023-09-18 21:31:15 +00:00
parent ad025b9683
commit 5bac1e4d15
1 changed files with 26 additions and 25 deletions
--- a/salt/common/tools/sbin_jinja/so-import-evtx
+++ b/salt/common/tools/sbin_jinja/so-import-evtx
@@ -80,8 +80,8 @@ function evtx2es() {
    -e "SHIFTTS=$SHIFTDATE" \
    -v "$EVTX:/tmp/data.evtx" \
    -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-    -v "/nsm/import/evtx-end_newest:/tmp/newest" \
-    -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \
+    -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
+    -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
    --entrypoint "/evtx_calc_timestamps.sh" \
    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
 }
@@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0
 VALID_EVTXS_COUNT=0
 SKIPPED_EVTXS_COUNT=0

-touch /nsm/import/evtx-start_oldest
-touch /nsm/import/evtx-end_newest
-
-echo $START_OLDEST > /nsm/import/evtx-start_oldest
-echo $END_NEWEST > /nsm/import/evtx-end_newest
-
 # paths must be quoted in case they include spaces
 for EVTX in $INPUT_FILES; do
  EVTX=$(/usr/bin/realpath "$EVTX")
@@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do
    status "- this EVTX has already been imported; skipping"
    SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
  else
+    # create EVTX directory
    EVTX_DIR=$HASH_DIR/evtx
    mkdir -p $EVTX_DIR
+    # create import timestamp files
+    for i in evtx-start_oldest evtx-end_newest; do
+      if ! [ -f "$i" ]; then
+        touch /nsm/import/$HASH/$i
+      fi
+    done

    # import evtx and write them to import ingest pipeline
    status "- importing logs to Elasticsearch..."
@@ -154,8 +155,13 @@ for EVTX in $INPUT_FILES; do
      VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
    fi

+    cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
+    chmod 644 "${EVTX_DIR}"/data.evtx
+
+  fi # end of valid evtx
+
  # compare $START to $START_OLDEST
-    START=$(cat /nsm/import/evtx-start_oldest)
+  START=$(cat /nsm/import/$HASH/evtx-start_oldest)
  START_COMPARE=$(date -d $START +%s)
  START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
  if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
@@ -163,7 +169,7 @@ for EVTX in $INPUT_FILES; do
  fi

  # compare $ENDNEXT to $END_NEWEST
-    END=$(cat /nsm/import/evtx-end_newest)
+  END=$(cat /nsm/import/$HASH/evtx-end_newest)
  ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
  ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
  END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
@@ -171,11 +177,6 @@ for EVTX in $INPUT_FILES; do
    END_NEWEST=$ENDNEXT
  fi

-    cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
-    chmod 644 "${EVTX_DIR}"/data.evtx
-
-  fi # end of valid evtx
-
  status

 done # end of for-loop processing evtx files