Yes, Winlogbeat can ingest archived .evtx files. When you set the
parameter as the absolute path to an event log file it will read from that file.
Here’s an example. First create a new config file for Winlogbeat.
namewill be set to the value of the
no_more_eventssets the behavior of Winlogbeat when Windows reports that there are no more events to read. We want Winlogbeat to stop rather than wait since this is an archived file that will not receive any more events.
shutdown_timeoutcontrols the maximum amount of time Winlogbeat will wait to finish publishing the events to Elasticsearch after stopping because it reached the end of the log.
- A separate registry file is used to avoid overwriting the default registry file. You can delete this file after you’re done ingesting the .evtx data.
Now execute Winlogbeat and wait for it to complete. It will exit when it’s done.
.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\backup\Security-2019.01.evtx