Multiple Microsoft EVT files | Log collection solutions

#1 Fravocado 4 years ago

Hello,

I've read a few posts about ingesting multiple .evt files using the im_msvista module. Is there a way to do this?

I can point to one, but I need to look at several.

thank you! Franz

Permalink

#2 Zhengshi Nxlog ✓ 4 years ago

#1 Fravocado

Hello, I've read a few posts about ingesting multiple .evt files using the im_msvista module. Is there a way to do this? I can point to one, but I need to look at several. thank you! Franz

Hello,

Unfortunately you can only use one File directive. You could use include_stdout directive to pull in your files as a script though.
Basically your script would need to build an Input instance for each file and output in a for loop, for instance.
https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_general_include_stdout

Write-Output from PowerShell can do the task.
Something like the following maybe. Has not been tested.

$files = Get-ChildItem 'C:\test\' -Filter *.evt
foreach ($f in $files){
    $fname = $f.FullName
    $name = $f.BaseName
    Write-Output "<Input in_$name>`n    Module    im_msvistalog`n    File    $fname`n</Input>"
}

Please see the .cmd file in the DHCP Audit log section for how to embed a powershell script in CMD. https://nxlog.co/documentation/nxlog-user-guide/windows-dhcp-server.html#collecting-dhcp-server-audit-logs

You will need to update your Route as well (or let the auto-built route handle it) .

That should work for you