Winlogbeat can't ingest archived .evtx files

franco.federico · May 6, 2019, 10:29pm

Hi
I tried to ingest an archived evtx files.

I set my configuration file like this guide
https://www.elastic.co/guide/en/beats/winlogbeat/master/faq.html#reading-from-evtx

I create the file winlogbeat-evtx.yml like this

winlogbeat.event_logs:
  - name: C:\Users\Administrator\Downloads\audit_svm-M-cifs_last.evtx
    no_more_events: stop 

winlogbeat.shutdown_timeout: 30s 
winlogbeat.registry_file: evtx-registry.yml 
output.logstash:
  #hosts: ["localhost:5044"]
  hosts: ["192.168.107.133:5044"]

I check if the configuration file is correct and it is correct

Then I launch from command line

.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml

and I received this error

2019-05-07T00:02:33.966+0200 ERROR instance/beat.go:906 Exiting: Failed
to create new event log. 1 error: Invalid event log key 'no_more_events' found.
Valid keys are api, batch_read_size, event_id, fields, fields_under_root, forwar
ded, ignore_older, include_xml, level, name, processors, provider, tags
Exiting: Failed to create new event log. 1 error: Invalid event log key 'no_more
_events' found. Valid keys are api, batch_read_size, event_id, fields, fields_un
der_root, forwarded, ignore_older, include_xml, level, name, processors, provide
r, tags

I open the file with event viewer without the problem.

Could you help me? I have logstash 6.5.4 and I use winlogbeat 6.7.2

Thank you
Franco

franco.federico · May 7, 2019, 10:28am

I tried to use another file that I created locally on the server saving all security event in a file with event viewer, but I have the same problem.

I found a similar problem in this thread

Is it released this functionality?

Thank you in advance
Franco

Michal_Pristas · May 7, 2019, 11:51am

hey @franco.federico can you please use </> button to format configuration snippet with indentations in a same way as it is in your config file?
a lot of times indentation or config file is incorrectly written and I cannot say because formatting is wrong.
thank you

franco.federico · May 7, 2019, 1:40pm

Thank you for information. I have just used the button and save the post. I send here againg

I create the file winlogbeat-evtx.yml like this

winlogbeat.event_logs:
  - name: C:\Users\Administrator\Downloads\audit_svm-M-cifs_last.evtx
    no_more_events: stop 

winlogbeat.shutdown_timeout: 30s 
winlogbeat.registry_file: evtx-registry.yml 
output.logstash:
  #hosts: ["localhost:5044"]
  hosts: ["192.168.107.133:5044"]

andrewkroh · May 7, 2019, 1:53pm

This feature hasn't been released.

franco.federico · May 7, 2019, 2:35pm

Ok thank you Andrew and Michal for the response. Yesterday night I don't see other thread.

Franco

franco.federico · May 7, 2019, 6:15pm

Now I set my winlogbeat to send to logstash instead of elasticsearch. From log di winlogbeat I see that all data are published but in the logstash log I have the following error

[2019-05-07T19:24:26,101][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5044, remote: 192.168.107.129:49695] Handling exception: Connection reset by peer
[2019-05-07T19:24:26,102][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
java.io.IOException: Connection reset by peer
        at sun.nio.ch.FileDispatcherImpl.read0(Native Method) ~[?:1.8.0_191]
        at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39) ~[?:1.8.0_191]
        at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223) ~[?:1.8.0_191]
        at sun.nio.ch.IOUtil.read(IOUtil.java:192) ~[?:1.8.0_191]
        at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380) ~[?:1.8.0_191]
        at io.netty.buffer.PooledUnsafeDirectByteBuf.setBytes(PooledUnsafeDirectByteBuf.java:288) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.buffer.AbstractByteBuf.writeBytes(AbstractByteBuf.java:1108) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.socket.nio.NioSocketChannel.doReadBytes(NioSocketChannel.java:345) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:126) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.18.Final.jar:4.1.18.Final]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_191]

This message sounds like a problem in logstash. I write a new post on the logstash community or you have information about this?

Thank you
Franco

Michal_Pristas · May 9, 2019, 6:24am

hey @franco.federico thanks for coming back. please create a separate issue for this problem. it will help users while searching for similar issues.
Thank you

franco.federico · May 9, 2019, 11:08am

Ok thank you Michal for reply
Bye
Franco

system · June 6, 2019, 11:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.