Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winlogbeat can't read evtx file continuing #33048

Open
yueguiji opened this issue Sep 11, 2022 · 6 comments
Open

winlogbeat can't read evtx file continuing #33048

yueguiji opened this issue Sep 11, 2022 · 6 comments
Labels
question Team:Security-Windows Platform Windows Platform Team in Security Solution Winlogbeat

Comments

@yueguiji
Copy link

In my case,I used the winlogbeat to read evtx file ;
In the beginning it's good for task ,the evtx file be read quickly.
But Suddenly I find a question - If the evtx file be write all the time(for example C:\Windows\System32\winevt\Logs\Security.evtx),the winlogbeat just read to winlogbeat's start time ,so I need restart the winlogbeat for read all data.

How to solve this question?
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 11, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Sep 19, 2022
@andrewkroh
Copy link
Member

The .extx reading feature is meant for use with archived logs. If you want to read from the active Security channel then configure Winlogbeat to read from the channel rather than a file.

winlogbeat.event_logs:
  - name: Security

@yueguiji
Copy link
Author

yueguiji commented Oct 15, 2022
edited
Loading

The .extx reading feature is meant for use with archived logs. If you want to read from the active Security channel then configure Winlogbeat to read from the channel rather than a file.

winlogbeat.event_logs:
  - name: Security

the evtx file was shared in my computer like \\it-data\log\xxx_last.evtx
this isn't a local disk.so I can't read as channel

@yueguiji
Copy link
Author

The .extx reading feature is meant for use with archived logs. If you want to read from the active Security channel then configure Winlogbeat to read from the channel rather than a file.

winlogbeat.event_logs:
  - name: Security

I try to fix this question for my code.
but I see a new question if the evtx file over 2G than change a new file use same name.
In the case the exe will be shutdown.

It's too hard to work.

@botelastic
Copy link

botelastic bot commented Oct 15, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Oct 15, 2023
@norrietaylor norrietaylor added Team:Security-Windows Platform Windows Platform Team in Security Solution and removed Team:Security-External Integrations labels Jan 31, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@botelastic botelastic bot removed the Stalled label Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Team:Security-Windows Platform Windows Platform Team in Security Solution Winlogbeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@endorama @andrewkroh @elasticmachine @norrietaylor @yueguiji