Winlogbeat: Logstash as forensic investigator

I am trying to parse log files collected as part of forensic investigation from windows machine and wondering how can i make winlogbeat to parse logs from files and ship it to logstash server?

Do we have a winlogbeat for linux as well so that i can run winlogbeat on my linux machine to ship logs to logstash or if there is any other way to read these files?


Winlogbeat cannot directly read .evt or .evtx files. It uses the Windows APIs to read from the events logs since the file format is proprietary. There are some libraries people have written by reverse engineering the format. It would be cool to integrate those into Winlogbeat (then it could run on linux too), but no one has contributed this feature. There is a mention of the feature in but we have no firm plans for implementing it.

Thank you for your reply. I have just started using ELK stack and absolutely in love with it. Thanks for liberating me from splunk but I am anxious to see what else i can do with ELK as a forensic investigator.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.