How to backfil a saved evtx file into elasticsearch using winlogbeat

niki · March 9, 2019, 4:05pm

can we backfil saved evtx files from different windows machines into elasticsearch and use them for correlation and forensics stuff?
I used to do something like this with filebeat and webservers logs.

zcat logname.gz | .\filebeat.exe -e -v -c backfil.yml

and backfil.yml looks like this

filebeat.inputs:

- type: stdin
  enabled: true
  fields_under_root: true
  
output.logstash:
  hosts: ["logstash:5044"]

  logging.level: info
  logging.to_files: true
  logging.metrics.enabled: false
  json.overwrite_keys: true

common event logs have channel names and we use those names in winlogbeat.yml file, so what if i have a saved file with a custom name like sysmon.evtx and wanna put entire content into elasticsearch?
is there any way to use the perfect event log template of winlogbeat and backfil saved evtx file straight into elasticsearch?
thanks for answers in advance

steffens · March 11, 2019, 2:51pm

evtx files are currently not supporter by winlogbeat.
There is a currently community PR in progress for adding support: https://github.com/elastic/beats/pull/10629

system · April 8, 2019, 4:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Import Saved Windows Event Logs Beats winlogbeat	5	9126	May 31, 2017
Old evtx-File with winlogbeat read in Beats winlogbeat	3	345	October 22, 2020
Winlogbeat - how to change path for where to look for files Beats winlogbeat	3	1672	November 22, 2016
Forward Archived .evtx files Beats winlogbeat	6	30	October 24, 2024
Upload and parse exported .evtx files to Elasticsearch Beats winlogbeat	9	4967	May 10, 2019

How to backfil a saved evtx file into elasticsearch using winlogbeat

Related topics