I've pulled down the latest public VM and using it to analyze some Windows Event Logs. I used KAPE to collect and do initial parsing with the KAPE SOF-ELK module to get the json files and copied them into the appropriate Logstash directory. I see events showing up in Kibana but none of the Sysmon events are showing up. It appears all other event log events are parsed and ingested just not Sysmon. I pulled up my FOR509 SOF-ELK VM from a class earlier this year and it did parse and ingest all of the event logs and I see Sysmon events.
I've pulled down the latest public VM and using it to analyze some Windows Event Logs. I used KAPE to collect and do initial parsing with the KAPE SOF-ELK module to get the json files and copied them into the appropriate Logstash directory. I see events showing up in Kibana but none of the Sysmon events are showing up. It appears all other event log events are parsed and ingested just not Sysmon. I pulled up my FOR509 SOF-ELK VM from a class earlier this year and it did parse and ingest all of the event logs and I see Sysmon events.