Read archived .evtx files with Winlogbeat #11361
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
With this enhancement in place it will make it easier to test the development of event processing pipelines since you can playback stored event logs. Aside from that, this has been a much requested feature. |
|
Pinging @elastic/secops |
This was referenced Mar 21, 2019
andrewkroh
force-pushed
the
feature/wlb/evtx-file-support
branch
from
853dae6
to
28ec9a7
Compare
This gives Winlogbeat the ability to read from archived .evtx files. The `name` parameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (`ERROR_NO_MORE_ITEMS`) I added a config option to change the behavior of the reader from waiting for more events to stopping.
I also had to add `shutdown_timeout` option to make Winlogbeat wait for events to finish publishing before exiting.
To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files.
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
winlogbeat.shutdown_timeout: 30s
winlogbeat.registry_file: evtx-registry.yml
output.elasticsearch.hosts: ['http://localhost:9200']
Closes elastic#4450
andrewkroh
force-pushed
the
feature/wlb/evtx-file-support
branch
from
28ec9a7
to
e2fb70d
Compare
|
can no_more_events only be stop? |
|
Great .... this will solve my problem. Now only 7.1. has to be released soon. Thanks for this feature! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This gives Winlogbeat the ability to read from archived .evtx files. The
nameparameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (ERROR_NO_MORE_ITEMS) I added a config option to change the behavior of the reader from waiting for more events to stopping.I also had to add
shutdown_timeoutoption to make Winlogbeat wait for events to finish publishing before exiting.To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files.
In the FAQ I added an example of how to use this feature.
Closes #4450
TODOlog.file.pathwhen reading from an .evtx file?