When running Winlogbeat 7.4 from a PowerShell script to process EVTX files I am running into a problem specific to the number of records imported into Kibana. If the EVTX file contains no deleted entries, the script imports correctly.
However, when an EVTX contains a deleted entry, the number of files processed can vary greatly, and the variance is not equal to the number of deleted entries in the EVTX file. As an example, an EVTX containing 300,000 entries including 500 deleted entries can have 50,000 omitted entries.
THEORY: It is my suspicion that winlogbeat stops processing an EVTX file upn the first occurrence of a deleted entry (this has not been confirmed).
QUESTION: Is there any way that Winlogbeat can be configured to process an EVTX file containing deleted entries without failing when it hits a deleted entry?