Read archived .evtx files with Winlogbeat#11361
Merged
andrewkroh merged 3 commits intoelastic:masterfrom Apr 9, 2019
Merged
Conversation
Member
Author
|
With this enhancement in place it will make it easier to test the development of event processing pipelines since you can playback stored event logs. Aside from that, this has been a much requested feature. |
Contributor
|
Pinging @elastic/secops |
This was referenced Mar 21, 2019
853dae6 to
28ec9a7
Compare
This gives Winlogbeat the ability to read from archived .evtx files. The `name` parameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (`ERROR_NO_MORE_ITEMS`) I added a config option to change the behavior of the reader from waiting for more events to stopping.
I also had to add `shutdown_timeout` option to make Winlogbeat wait for events to finish publishing before exiting.
To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files.
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
winlogbeat.shutdown_timeout: 30s
winlogbeat.registry_file: evtx-registry.yml
output.elasticsearch.hosts: ['http://localhost:9200']
Closes elastic#4450
28ec9a7 to
e2fb70d
Compare
|
can no_more_events only be stop? |
|
Great .... this will solve my problem. Now only 7.1. has to be released soon. Thanks for this feature! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This gives Winlogbeat the ability to read from archived .evtx files. The
nameparameter recognizes that the value is absolute path and then uses the appropriate APIs to open the file and ingest its contents. In order to support the use case of reading from a file and then exiting when there are no more events (ERROR_NO_MORE_ITEMS) I added a config option to change the behavior of the reader from waiting for more events to stopping.I also had to add
shutdown_timeoutoption to make Winlogbeat wait for events to finish publishing before exiting.To keep it simple, globs are not supported. This would have required the introduction of a "prospector" to continuously monitor the glob for new / moved / deleted files.
In the FAQ I added an example of how to use this feature.
Closes #4450
TODOlog.file.pathwhen reading from an .evtx file?