Derek Armstrong

No worries. I think it is likely more of a module only tool as well.

Just wondering if anything in the Elastic Common Schema might be of use here? https://github.com/elastic/ecs

It appears there is not a memory profile for 18895. I am having the same issue with a Windows 2012 R2 server that has a build number of 19968.

@Pierre450 Understood. Doesn't help much with my current engagement but will be trying the storage account method in the future.

I gave Invictus-Suite a try. It uses the command I listed in the original issue. I tried importing the resulting file, and the same outcome. It would only parse it...

I saw that the files I was trying to play with were in UTF-8 when the signin logs from Invictus were in UTF-16. But since the parser is forcing UTF-8,...