Windows Events with evtx

Hello.
I am trying to setup an PoC with Ingesting Windows Evenst to Elastic.
Because of company policies I can´t install Winlogbeat in any host, but the host where I have installed Elasticstack I have access to install anything as I see fit.

At the Host:s from where I want to gather logs, I have activated an Windows Event Forwarding service to the Host where I have Elasticstack, and I have confirmed that the host is collecting forwarded logs from the other host:s, this evtx file resides at
c:\Windows\System32\winevt\Logs\ForwardedEvents.evtx

What I now want to do is to ingest this evtx file to Elasticsearch, any ideas on how to proceed, Filebeat or Winlogbeat?

Hi @Christer_Palmen! Winlogbeat includes support for Forwarded Events, so I'd recommend installing on the host where the events are being forwarded to and ship to Elastic from that host. Some guidance available for Forwarded Events via Winlogbeat here.

´´´
Hi James!
Thanks for your help, fixed it!
´´´

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.