Import Windows events stored as syslog in PCAPs


I have PCAP files (hundreds of GB:s) with recorded syslog traffic (UDP/514) containing log events from Windows hosts. I would like to import and parse the data in an ELK stack. If possible, I would also like to preserve the PCAP timestamps and store those as an additional field for each log message.

Should I parse the PCAPs with Zeek/Bro and import with Filebeat? Could Packetbeat be used? Which option(s) would you suggest? Any help or useful pointers would be appreciated.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.