Did you know that you can ship Windows eventlogs with osquery? Just use the windows_events evented table, which by default, gets logs from the following channels: System, Security, and Application. This is configurable, so you can ship those awesome Sysmon logs as well.
What about parsing them? As you can see from this issue, all fields parse correctly except for event_data
, which has a \\x0A
at the end of some nested JSON. Once this is removed, you can parse as normal JSON.
Here is how I got event_data
parsed correctly with Logstash:
https://gist.github.com/defensivedepth/39d97a43f001e5331c620d799bd89d33
-Josh