(crosspost from slack)
Hi,
We are trying to get the logs from our netapp cifs shares.
Netapp exports their logs to a smb share and writes .evtx files there.
And with the help of mounting and pointing winlogbeat to the .evtx file we can use "import it as an archived file".
Are there any good way to get winlogbeat to continuously monitor an .evtx file?
Or do you have any other ideas how to implement this?
--
Regards Falk
CUrrently I don't think Winlogbeat supports continuously reading from an evtx file. Its expected to be a static export and read once. Filebeat 7.16 has a new processor to decode windows event log xml, Decode XML Wineventlog | Filebeat Reference [7.16] | Elastic. So potentially you could convert ur evtx files to xml and then Filbeat could monitor those files?
That could be a way forward, then we can skip the Windows layer for just reading the evtx.
Sadly we are not up to 7.16 yet. But can perhaps do an upgrade from 7.10.2 to 7.16 in January.
It's always scary to do upgrades on elastic imho 
I think that netapp can export a xml file too. I will look into that.
U could try using a 7.16 filebeat instance without upgrading the entire stack?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.