textproc/py-evtx2splunk: New port: Evtx to Splunk ingestor

Ingest EVTX files into a Splunk instance. This tool is based on the work of : Omer BenAmram Blardy Thanks to Ekto for its contribution. Key features: - Splunk HEC support with token auto-creation - Splunk index auto-creation - Multiprocessing support - Caching for evtx reuse without reconverting - Windows and Linux compatibility - Rely on the great and fast evtx_dump Rust tool of Omer - Evtx message resolutions from database Note: evtx2splunk converts the EVTX to JSON and stores them in a temporary place. Hence, up to the size of source EVTX can be created during the process. These files are removed at the end of the process, except if keep_cache is enabled.
freebsd · Apr 30, 2023 · 85d2fe1 · 85d2fe1
1 parent 043215b
commit 85d2fe1
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 0 deletions.
diff --git a/textproc/Makefile b/textproc/Makefile
@@ -1340,6 +1340,7 @@
     SUBDIR += py-enchant
     SUBDIR += py-enrich
     SUBDIR += py-et_xmlfile
+    SUBDIR += py-evtx2splunk
     SUBDIR += py-extract-msg
     SUBDIR += py-fastavro
     SUBDIR += py-feedparser

diff --git a/textproc/py-evtx2splunk/Makefile b/textproc/py-evtx2splunk/Makefile
@@ -0,0 +1,34 @@
+PORTNAME=	evtx2splunk
+PORTVERSION=	2.0.1
+CATEGORIES=	textproc python
+PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
+
+MAINTAINER=	acm@FreeBSD.org
+COMMENT=	Evtx to Splunk ingestor
+WWW=		https://github.com/whikernel/evtx2splunk
+
+LICENSE=	MIT
+
+RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}certifi>0:security/py-certifi@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}chardet>0:textproc/py-chardet@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}idna>0:dns/py-idna@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}python-dotenv>0:www/py-python-dotenv@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}requests>0:www/py-requests@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}semantic-version>0:devel/py-semantic-version@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}urllib3>0:net/py-urllib3@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}toml>0:textproc/py-toml@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}tqdm>0:misc/py-tqdm@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}splunk-hec>0:textproc/py-splunk-hec@${PY_FLAVOR} \
+		fd-find>0:sysutils/fd \
+		evtx>0:textproc/evtx
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	whikernel
+GH_TAGNAME=	12bfda6cdd83ae392df9303d0140a2eaa936a62f
+
+USES=		python:3.8+
+USE_PYTHON=	autoplist distutils
+
+NO_ARCH=	yes
+
+.include <bsd.port.mk>
diff --git a/textproc/py-evtx2splunk/distinfo b/textproc/py-evtx2splunk/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1682884324
+SHA256 (whikernel-evtx2splunk-2.0.1-12bfda6cdd83ae392df9303d0140a2eaa936a62f_GH0.tar.gz) = a203a63d063d004975ac5d928030188501e119bc63dc6f995644f9aa1577a36c
+SIZE (whikernel-evtx2splunk-2.0.1-12bfda6cdd83ae392df9303d0140a2eaa936a62f_GH0.tar.gz) = 7116809
diff --git a/textproc/py-evtx2splunk/pkg-descr b/textproc/py-evtx2splunk/pkg-descr
@@ -0,0 +1,22 @@
+Ingest EVTX files into a Splunk instance.
+
+This tool is based on the work of :
+
+Omer BenAmram
+Blardy
+Thanks to Ekto for its contribution.
+
+Key features:
+
+- Splunk HEC support with token auto-creation
+- Splunk index auto-creation
+- Multiprocessing support
+- Caching for evtx reuse without reconverting
+- Windows and Linux compatibility
+- Rely on the great and fast evtx_dump Rust tool of Omer
+- Evtx message resolutions from database
+
+Note: evtx2splunk converts the EVTX to JSON and stores them in a temporary
+place. Hence, up to the size of source EVTX can be created during the process.
+These files are removed at the end of the process, except if keep_cache is
+enabled.