From cc100e50cdf73e4514a0f5d29dbd90083cc81209 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Mon, 30 Jan 2023 21:09:58 +0000
Subject: [PATCH] Update so-import-evtx to convert EVTX to a JSON file instead
 of streaming to Elasticsearch

---
 salt/common/tools/sbin/so-import-evtx | 20 +++++---------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx
index 0b6bd8383..3461e912a 100755
--- a/salt/common/tools/sbin/so-import-evtx
+++ b/salt/common/tools/sbin/so-import-evtx
@@ -32,24 +32,14 @@ function evtx2es() {
   EVTX=$1
   HASH=$2
   
-  ES_PASS=$(lookup_pillar "auth:users:so_elastic_user:pass" "elasticsearch")
-  ES_USER=$(lookup_pillar "auth:users:so_elastic_user:user" "elasticsearch")
-
   docker run --rm \
-    -v "$EVTX:/tmp/$RUNID.evtx" \
-    --entrypoint evtx2es \
-    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} \
-    --host {{ MANAGERIP }} --scheme https \
-    --index so-beats-$INDEX_DATE --pipeline import.wel \
-    --login $ES_USER --pwd "$ES_PASS" \
-    "/tmp/$RUNID.evtx" >> $LOG_FILE 2>&1
-
-  docker run --rm \
-    -v "$EVTX:/tmp/import.evtx" \
+    -v "$EVTX:/tmp/data.evtx" \
+    -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
     -v "/nsm/import/evtx-end_newest:/tmp/newest" \
     -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \
-    --entrypoint '/evtx_calc_timestamps.sh' \
-    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }}
+    -v /root/entrypoint.sh:/entrypoint.sh:ro \
+    --entrypoint "/entrypoint.sh" \
+    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
 }
 
 # if no parameters supplied, display usage