Winlogbeat - how to change path for where to look for files

(Jeriel20) #1

Does any one know what configuration if any I can put in the YAML file to specify a location for where my windows event logs reside. I have a folder with archived data that i need winlogbeat to index into elasticsearch...

anyone know?

Import Saved Windows Event Logs
(Andrew Kroh) #2

Winlogbeat cannot directly read the .etvx files. The format isn't something that Microsoft has published, though it has been reverse engineered by a few people. The format is some kind of binary XML.

Winlogbeat uses the Windows API to read events from the logs that are live in the event logging system.

(Jeriel20) #3

Thanks for shedding light on this. I greatly appreciate it. I think what I'll do then is convert the evtx files to CSV or XML and then run logstash or filebeat on them. Thanks!

(system) #4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.