We have the need to run winlogbeat on Linux.
I see that there are no precompiled binaries for Linux which is somewhat understandable.
In our usecase winlog events are transported via syslog to a linux VM.
There parsing happens with filebeat for many types of plaintext logs.
Among those logs are the windows events logs and was hoping to be able to parse them with winlogbeat.
Another issue is that the logs are plaintext instead of *.evtx files
I was thinking of modifying the winlogbeat-security.js, winlogbeat-powershell.js and winlogbeat-sysmon.js and use those scripts with filebeat.
In other words : reuse/modify your wonderfull JS code from the winlogbeat modules and create filebeat modules.
Any technical difficulties that I might encounter?
Is this unfeasible maybe?
Out of curiosity, how is the events from windows transferred through syslog? Is it maybe a local agent like solarwinds or nxlog?
I would say that while filebeat is your best bet indeed, there might be some better approaches, and it kinda depends on the format of these syslog messages, so before I can help you any further, would you be able to provide a line or two from the file itself? Feel free to obfuscate any sensitive fields, as long as it keeps the format 100% the same
The reason is that some windows syslog agents forwards the whole XML, while others just picks parts of the message and send it through a unformatted syslog message. So for example if it was raw XML, we have a new XML processor in filebeat that would help you a lot
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.