Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a way of shipping eventlog from file #42

Open
kunisen opened this issue Jan 23, 2018 · 5 comments
Open

Provide a way of shipping eventlog from file #42

kunisen opened this issue Jan 23, 2018 · 5 comments
Labels
adoptme enhancement question

Comments

@kunisen
Copy link

kunisen commented Jan 23, 2018

For all general issues, please provide the following details for fast resolution:

  • Version: Logstash 5.6

  • Operating System: Linux

  • Config
    e.g. path => "/data/event_log/xxx.evtx"

  • Sample Data:
    Any .evtx file.

  • Description
    We have logstash-input-eventlog to pull the event log from windows by using @eventlog = Win32::EventLog.open(@logfile).

https://github.com/logstash-plugins/logstash-input-eventlog/blob/master/lib/logstash/inputs/eventlog.rb#L49

Is there a way to ship event log file from a directory specified path?
Or could we implement this feature in the future?
@jsvd
Copy link
Member

jsvd commented Jan 23, 2018
edited
Loading

Can you clarify a bit more what is the architecture you're looking for?
You want to grab event log data into evtx files on windows, ship them to linux and process them on linux?
Have you tried using winlogbeat on windows?

@kunisen
Copy link
Author

kunisen commented Jan 24, 2018
edited
Loading

Thanks, Joao! @jsvd

Yes, the goal is to collect the .evtx log (generated by customized application but could be opened by Windows event log viewer)
The path is like "C:\data\event_log\xxx.evtx".
To collect it (no matter windows / linux) from the specified path, and ship it to elasticsearch.

Logstash is not essential. Winlogbeat is also good to be a resolution if it is possible.

Something more, sorry I didn't test the behavior of winlogbeat.
But from the below description, it looks like even use winlogbeat, we could still only specify the logs that could be retrieved from "Get-EventLog *" powershell cmdlet.

So it might be difficult for the user to specify the path directly.
(The user might need to import the .evtx file to his Windows OS at first, and use the powershell cmdlet to get event log name.)

https://www.elastic.co/guide/en/beats/winlogbeat/master/configuration-winlogbeat-options.html#configuration-winlogbeat-options-event_logs-name

@RealLinkers
Copy link

RealLinkers commented Jul 6, 2018
edited
Loading

Having the same issue. None of Beats agent's can process evt/evtx files.

@kunisen
Copy link
Author

kunisen commented Jul 20, 2018

sorry for the direct ping.
do we have any updates here 😄 @jsvd

@jsvd
Copy link
Member

jsvd commented Jul 30, 2018

Any updates will be visible here, there's no one who is very familiar with this environment/technology to implement reading from files without considerable amount of effort/time.
On the winlogbeat side, the desire for the feature is mentioned in elastic/beats#465 (comment), but there hasn't been much demand, hence the low priority.

I'm more than happy to review someone's attempt at adding this feature here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
adoptme enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsvd @RealLinkers @kunisen