Old evtx-File with winlogbeat read in

PatNae · September 23, 2020, 10:08am

how can i read an old logfile with winlogbeat. I have seen the following:
winlogbeat.event_logs:

name: ${EVTX_FILE}
no_more_events: stop
But what exactly do I have to write in name/path? Where must my file be located? I have a local evtx-file on my machine and want to send this file to elasticsearch with winlogbeat - logstash.

warkolm · September 23, 2020, 10:41pm

There's an example in the docs that might help here;

.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\backup\Security-2019.01.evtx

PatNae · September 24, 2020, 9:44am

Great, tnx!!

system · October 22, 2020, 11:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat - how to change path for where to look for files Beats winlogbeat	3	1672	November 22, 2016
Import Saved Windows Event Logs Beats winlogbeat	5	9126	May 31, 2017
Winlogbeat: lire tous les fichiers evtx d'un dossier Discussions en français	5	897	June 17, 2020
How to backfil a saved evtx file into elasticsearch using winlogbeat Beats	2	824	April 8, 2019
Winlogbeat can't ingest archived .evtx files Beats winlogbeat	9	1626	June 6, 2019