can we backfil saved evtx files from different windows machines into elasticsearch and use them for correlation and forensics stuff?
I used to do something like this with filebeat and webservers logs.
zcat logname.gz | .\filebeat.exe -e -v -c backfil.yml
and backfil.yml looks like this
filebeat.inputs:
- type: stdin
enabled: true
fields_under_root: true
output.logstash:
hosts: ["logstash:5044"]
logging.level: info
logging.to_files: true
logging.metrics.enabled: false
json.overwrite_keys: true
common event logs have channel names and we use those names in winlogbeat.yml file, so what if i have a saved file with a custom name like sysmon.evtx and wanna put entire content into elasticsearch?
is there any way to use the perfect event log template of winlogbeat and backfil saved evtx file straight into elasticsearch?
thanks for answers in advance