I have Windows Event Logs archived on my Windows Event Collector that are forwarded events from my endpoints. How can I re-import those into an ELK 6 stack? My WEC server has Winlogbeat installed and is sending the current Forwarded Events to my Logstash server.
All of the state kept by Winlogbeat is recorded to C:\ProgramData\winlogbeat\.winlobeat.yml. If you stop Winlogbeat, remove that file, and then restart Winlogbeat it will be just like the first time you ran it.
Ok, will that ingest all of the Archive-FowardedEvents* .evtx files as well as the ForwardedEvents.evtx automatically?
It uses the Windows API to read the data rather than reading evtx files directly so it should get the same data that's visible in the Event Viewer. (Not sure whether that includes archived data, but my guess is not.)
Ok, so that goes back to my original question. How do I get the archived .evtx files into my Logstash then? It doesn't seem feasible to take tens of thousands of archived evtx files and manually add each one back into Event Viewer.
I missed the subtleties of "archived" in the first question. Unfortunately if the messages aren't available through the event log APIs then it won't be able to ingest them. There has been discussion of adding .evtx support to Winlogbeat but it hasn't happened yet: https://github.com/elastic/beats/issues/465#issuecomment-227347863
Ok. So if I can't use Winlogbeat, what can I use? Or, how can I make roughly 100,000 evtx files import into the event log API without adding each one manually?
If it's a one time load thing then I'd probably script something that converts the evtx to JSON and ingests that with Filebeat. Maybe something like:
- Use https://github.com/0xrawsec/golang-evtx to dump evtx to JSON
- Run filebeat with JSON parsing enabled
- Have filebeat send it to Logstash where you can rename the fields as needed
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.