winlogbeat can't read evtx file continuing

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash

https://www.elastic.co/products/beats

Other

91 stars 4.92k forks source link

winlogbeat can't read evtx file continuing #33048

Open yueguiji opened 2 years ago

yueguiji commented 2 years ago

In my case，I used the winlogbeat to read evtx file ; In the beginning it's good for task ，the evtx file be read quickly. But Suddenly I find a question - If the evtx file be write all the time（for example C:\Windows\System32\winevt\Logs\Security.evtx），the winlogbeat just read to winlogbeat's start time ,so I need restart the winlogbeat for read all data.

How to solve this question?

elasticmachine commented 2 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh commented 2 years ago

The .extx reading feature is meant for use with archived logs. If you want to read from the active Security channel then configure Winlogbeat to read from the channel rather than a file.

winlogbeat.event_logs:
  - name: Security

yueguiji commented 2 years ago

The .extx reading feature is meant for use with archived logs. If you want to read from the active Security channel then configure Winlogbeat to read from the channel rather than a file.
winlogbeat.event_logs:
  - name: Security

the evtx file was shared in my computer like \\it-data\log\xxx_last.evtx this isn't a local disk.so I can't read as channel

yueguiji commented 2 years ago

The .extx reading feature is meant for use with archived logs. If you want to read from the active Security channel then configure Winlogbeat to read from the channel rather than a file.
winlogbeat.event_logs:
  - name: Security

I try to fix this question for my code. but I see a new question if the evtx file over 2G than change a new file use same name. In the case the exe will be shutdown.

It's too hard to work.

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

elasticmachine commented 9 months ago

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)