Question 1

How do I use Zircolite with Sigma rules on Windows EVTX logs?

Accepted Answer

Use the --evtx flag with your file or folder and specify a ruleset, like 'python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_merged.json'. Auto-detection handles the format, so no extra flags are usually needed.

Question 2

Zircolite vs. Sigma CLI: which is better for log analysis?

Accepted Answer

Zircolite is more comprehensive for standalone log processing with features like field transforms and multiple format support. Sigma CLI focuses on rule conversion and might require additional tools, making Zircolite better for all-in-one portable analysis.

Question 3

Can Zircolite handle real-time log analysis?

Accepted Answer

No, Zircolite is designed for batch processing of log files. It doesn't support real-time ingestion; you must collect logs into files first, making it unsuitable for live monitoring scenarios.

Question 4

How to decode Base64 encoded commands in logs with Zircolite?

Accepted Answer

Configure field transforms in the YAML config file with Python code that matches Base64 patterns and decodes them. The README provides an example transform that creates a new field with the decoded content.

Question 5

What log formats does Zircolite support besides EVTX?

Accepted Answer

It supports Auditd, Sysmon for Linux, JSON Lines, JSON Arrays, CSV, XML, and compressed archives like gzip, bzip2, ZIP, and 7-Zip. Auto-detection works for most, but explicit flags can override it.

Question 6

How to export Zircolite results to Splunk?

Accepted Answer

Use the --template option with a Splunk Jinja template. Zircolite includes pre-built templates for various outputs; specify the format to export in a Splunk-compatible structure for easy ingestion.

Question 7

Is Zircolite good for large enterprise environments?

Accepted Answer

It has optimization features like parallel processing and automatic mode selection, but for massive, distributed log volumes, dedicated systems like Elasticsearch might scale better. Zircolite is ideal for ad-hoc or smaller-scale investigations.

Zircolite

What is Zircolite?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions