[Winlogbeat] Add option to read .evt and .evtx files #4450

ghost · 2017-06-02T17:54:18Z

Would it be possible to have a functionality which would allow to read .evt files directly ?
Something like :

winlogbeat:
prospectors:
- input_type: winlog
paths:
- C:\System32\Winevt\Logs\ *.evt

andrewkroh · 2019-03-15T18:27:45Z

What are the use cases for reading from .evt/.evtx files?

Is this for loading older historical data? Like for back-filling old log data in a one-off task manner?
Or is there a use case where you need to continuously monitor a directory for new files?

andrewkroh · 2019-03-21T04:52:14Z

I've opened a PR for this at #11361.

This gives Winlogbeat the ability to read from archived .evtx files. The `name` parameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (`ERROR_NO_MORE_ITEMS`) I added a config option to change the behavior of the reader from waiting for more events to stopping. I also had to add `shutdown_timeout` option to make Winlogbeat wait for events to finish publishing before exiting. To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files. winlogbeat.event_logs: - name: ${EVTX_FILE} no_more_events: stop winlogbeat.shutdown_timeout: 30s winlogbeat.registry_file: evtx-registry.yml output.elasticsearch.hosts: ['http://localhost:9200'] Closes elastic#4450

This gives Winlogbeat the ability to read from archived .evtx files. The `name` parameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (`ERROR_NO_MORE_ITEMS`) I added a config option to change the behavior of the reader from waiting for more events to stopping. I also had to add `shutdown_timeout` option to make Winlogbeat wait for events to finish publishing before exiting. To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files. winlogbeat.event_logs: - name: ${EVTX_FILE} no_more_events: stop winlogbeat.shutdown_timeout: 30s winlogbeat.registry_file: evtx-registry.yml output.elasticsearch.hosts: ['http://localhost:9200'] Closes #4450

tsg added enhancement Winlogbeat labels Jun 6, 2017

andrewkroh changed the title ~~Option to point at .evt files inside winlogbeat~~ [Winlogbeat] Add option to read .evt or .evtx files Sep 18, 2018

andrewkroh changed the title ~~[Winlogbeat] Add option to read .evt or .evtx files~~ [Winlogbeat] Add option to read .evt and .evtx files Sep 18, 2018

andrewkroh mentioned this issue Mar 15, 2019

[Winlogbeat] Features / Status / Roadmap #465

Closed

sanjay900 mentioned this issue Mar 15, 2019

[Winlogbeat] Support reading .evtx files #10629

Closed

ruflin added the :Windows label Mar 18, 2019

andrewkroh mentioned this issue Mar 21, 2019

Read archived .evtx files with Winlogbeat #11361

Merged

2 tasks

andrewkroh closed this as completed in #11361 Apr 9, 2019

andrewkroh added the v7.2.0 label Apr 9, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Winlogbeat] Add option to read .evt and .evtx files #4450

[Winlogbeat] Add option to read .evt and .evtx files #4450

ghost commented Jun 2, 2017

andrewkroh commented Mar 15, 2019

andrewkroh commented Mar 21, 2019

[Winlogbeat] Add option to read .evt and .evtx files #4450

[Winlogbeat] Add option to read .evt and .evtx files #4450

Comments

ghost commented Jun 2, 2017

andrewkroh commented Mar 15, 2019

andrewkroh commented Mar 21, 2019