Does any one know what configuration if any I can put in the YAML file to specify a location for where my windows event logs reside. I have a folder with archived data that i need winlogbeat to index into elasticsearch...
anyone know?
Does any one know what configuration if any I can put in the YAML file to specify a location for where my windows event logs reside. I have a folder with archived data that i need winlogbeat to index into elasticsearch...
anyone know?
Winlogbeat cannot directly read the .etvx files. The format isn't something that Microsoft has published, though it has been reverse engineered by a few people. The format is some kind of binary XML.
Winlogbeat uses the Windows API to read events from the logs that are live in the event logging system.
Thanks for shedding light on this. I greatly appreciate it. I think what I'll do then is convert the evtx files to CSV or XML and then run logstash or filebeat on them. Thanks!
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.