Did you know that you can ship Windows eventlogs with osquery? Just use the windows_events evented table, which by default, gets logs from the following channels: System, Security, and Application. This is configurable, so you can ship those awesome Sysmon logs as well.
What about parsing them? As you can see from this issue, all fields parse correctly except for
event_data, which has a
\\x0A at the end of some nested JSON. Once this is removed, you can parse as normal JSON.
Here is how I got
event_data parsed correctly with Logstash: