- Program: Winlogbeat
- Version: 7.16.3
- Operating System: Windows 11 Pro Version 21H2 Build 22000.438
I am trying to convert some archived evtx files to JSON using winlogbeat, however, winlogbeat isn't exiting after processing the evtx file and the size of the output json file is also different for each run. I am deleting the data sub-directory where evtx-registry.yml and other files used for tracking are located for each new run along with the output file. There is nothing suspicious on the command line logs for winlogbeat.
I am using PowerShell to execute the following command for each file in the directory:
./winlogbeat-7.16.3-windows-x86_64\winlogbeat-7.16.3-windows-x86_64\winlogbeat.exe -e -c ./winlogbeat-evtx.yml -E EVTX_FILE="$filePath" -E OUTPUT_PATH="$output_path" -E FILENAME="$output_file_name"
winlogbeat-evtx.yml
- name: ${EVTX_FILE}
forwarded: true
no_more_events: stop
winlogbeat.shutdown_timeout: 5s
winlogbeat.registry_file: evtx-registry.yml
processors:
- add_fields:
target: ''
fields:
log_file: ${EVTX_FILE}
- drop_fields:
fields: ["event.kind", "event.code", "agent.ephemeral_id", "ecs.version"]
output.elasticsearch:
enabled: false
output.logstash:
enabled: false
output.kafka:
enabled: false
output.file:
enabled: true
codec.json:
pretty: true
escape_html: false
rotate_every_kb: 5000000
path: ${OUTPUT_PATH}
filename: ${FILENAME}
I assume that shutdown_timeout and no_more_events are not working as expected. Or is it because of the JSON file output? Maybe they are not tested or applied while using file outputs.