Offline Logs Monitoring
Good Day, I have a requirement to monitor logs for a server thats offline, the only way for me to retrieve the logs is by exporting them to a USB. I wanted to ask if anyone has come across this, whereby they would export logs, then import them to Netwitness.
Is it possible to import the event logs into another system of the same OS ( i think some events are tied to DLLS specific to an OS type) that is online?
If you can import the evtx files to this online host and its configured to have its events read by NW via WMI then you can mark that host using an apprule or feed as your 'offline' loader host and which offline host its reading and get the events into NW from there.
Haven't tried it, and haven't heard of this as a requirement but some quick googling appears to show there is a method to kill services.exe (i think) to force that service to shutdown then import the events so they can be read from the normal event channels.