Log collection for evtx files
I have log collection requirement for Windows servers in private cloud or DMZ, the only thing provided is log files in evtx format (Win event log file). I am wondering is there any way to integrate those event log files into RSA SA as “file” event resources?
1. Event log files extract from those servers with extension evtx by monthly
2. Event log files saves to share folder as zip file, and the share folder can be access through LAN network.Con O'Donnell
You can use a syslog forwarder like EventReporter. It can monitor dynamic evtx log files and forward them via syslog.
Some time ago, I used Windows Legacy collection protocol but I think that it works only on evt and not evtx
Maybe there is another way, see with support
I tried removing the "x" from evtx , Windows legacy was able to process it but was discovered as unknown. We need to make a parser and also a method to convert the extension.Not sure how to convert the extension of large files.
The client doesn't want to pursue a Windows forwarding mechanism to an aggregate server where then Netwitness can pull logs from the single (aggregate) server? What is the reason for pulling the .evtx files monthly? Is this a strict customer requirement?
Client has a strict requirement to collect the logs from some application ( MS Azure). The collection is not a continuous one, its stored for sometime and its expected to process by RSA SA. I believe that if the file extension is .evtx, we will not be able to use the "file collection method "