This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Not sure how to read from .evtx files
editNot sure how to read from .evtx files
editYes, Winlogbeat can ingest archived .evtx files. When you set the name
parameter as the absolute path to an event log file it will read from that file.
Here’s an example. First create a new config file for Winlogbeat.
winlogbeat-evtx.yml
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
winlogbeat.shutdown_timeout: 30s
winlogbeat.registry_file: evtx-registry.yml
output.elasticsearch.hosts: ['http://localhost:9200']
-
namewill be set to the value of theEVTX_FILEenvironment variable. -
no_more_eventssets the behavior of Winlogbeat when Windows reports that there are no more events to read. We want Winlogbeat to stop rather than wait since this is an archived file that will not receive any more events. -
shutdown_timeoutcontrols the maximum amount of time Winlogbeat will wait to finish publishing the events to Elasticsearch after stopping because it reached the end of the log. - A separate registry file is used to avoid overwriting the default registry file. You can delete this file after you’re done ingesting the .evtx data.
Now execute Winlogbeat and wait for it to complete. It will exit when it’s done.
.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\backup\Security-2019.01.evtx