Is it still possible to use winlogbeat to convert evtx files to json?
I was trying to use the powershell script from here -
If(Test-Path -path $pwd\winlogbeat.exe) {
echo "Starting conversion from EVTX to JSON ..."
$EVTX_FILE_NAME = [io.path]::GetFileNameWithoutExtension((Get-ChildItem -Path $pwd\*.evtx | Select-Object -ExpandProperty Name))
.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=$pwd\$EVTX_FILE_NAME.evtx -E JSON_FILE=$pwd\$EVTX_FILE_NAME.json
Remove-Item -Path $pwd\data\ -Recurse
echo "Conversion is complete! See the new file: $EVTX_FILE_NAME.json"
}
Else
{
echo "The winlogbeat.exe is missing! Please download the ZIP version from https://www.elastic.co/downloads/beats/winlogbeat, extract it and add the winlogbeat.exe into this folder."
}
and the winlogbeat-evtx.yml file
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
output.file:
path: "."
filename: ${JSON_FILE}
I kept getting errors until I went all the way back to winlogbeat.exe 8.0, and at this point it just seems to count up through these ndjson files.
Now I don't get errors BUT this goes on for days....
I also tried this one -
I'd appreciate any thoughts or help, thanks!!