So, I've been trying to get filebeat to harvest DHCP logs in the system32 folder on windows. After making sure permissions and everything weren't the issue, I decided to run procmon to see what was holding it up.
Turns out that when filebeat tries to go to c:\windows\system32\dhcp it's actually getting sent to c:\windows\syswow64\dhcp which doesn't exist, and also kinda weird, but that's Microsoft for you.
Anywho, this is happening because filebeat is offered as an x86 binary (I checked the PE headers). Is there any way to get an x64 version of filebeat so that Windows doesn't direct requests to syswow64?
EDIT: For posterity, you can work around this by going to c:\windows\sysnative instead of c:\windows\system32