Hello all, there's a fair amount of information around for live shipping of Windows event logs, Winlogbeat which is great in "live" but to the best of my knowledge doesn't support "offline" processing. So I'm struggling to find the right solution for processing *.evtx files from disk (more accurately extracted from forensic images). I have looked at a few options, any pointers towards the most efficient solution would be most appreciated.
1, Running the evtx's through log2timeline (psteal) and and using Logstash to ingest into ES. this sounded great at first but the output is messy.
2, Processing the evtx's with python-evtx to create XML output, then wrangling with Logstash to ingest to ES, I'm finding this to be messy.
It would be nice if Winlogbeat could do this. Is there a recommended solution for this kind of requirement?
Any pointers are welcome.
Cheers
Steve
