Read archived .evtx files with Winlogbeat #11361
Merged
Commits on Apr 8, 2019
-
Read archived .evtx files with Winlogbeat
This gives Winlogbeat the ability to read from archived .evtx files. The `name` parameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (`ERROR_NO_MORE_ITEMS`) I added a config option to change the behavior of the reader from waiting for more events to stopping. I also had to add `shutdown_timeout` option to make Winlogbeat wait for events to finish publishing before exiting. To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files. winlogbeat.event_logs: - name: ${EVTX_FILE} no_more_events: stop winlogbeat.shutdown_timeout: 30s winlogbeat.registry_file: evtx-registry.yml output.elasticsearch.hosts: ['http://localhost:9200'] Closes elastic#4450 -
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.