Hi,
I have PCAP files (hundreds of GB:s) with recorded syslog traffic (UDP/514) containing log events from Windows hosts. I would like to import and parse the data in an ELK stack. If possible, I would also like to preserve the PCAP timestamps and store those as an additional field for each log message.
Should I parse the PCAPs with Zeek/Bro and import with Filebeat? Could Packetbeat be used? Which option(s) would you suggest? Any help or useful pointers would be appreciated.
Thanks!