Best practice for local Evtx ingestion

[aarislarsen]

What is the optimal way to ingest offline copies of extracted Windows Event Logs (evtx files) into SOF-ELK?

I love working in SOF-ELK, but I find myself in the situation over and over again, where I'm handed exported event logs from a high enough number of hosts that manual analysis becomes a pain. Whenever this happens, I reach for EvtxECmd and convert them to JSON with evtxecmd.exe -d d:\logs --json -D d:\json, of course having run evtxecmd.exe --sync first. As long as the naming convention is maintained for the output file, they get picked up easily enough by SOF-ELK when placed in the /logstash/kape/ folder, however I find over an over again that events are missing when searching through the evtxlogs-* index.

In spite of having been around for so long, I find that there is very little on this topic anywhere, so I really wanted to ask what the most effective and reliable way of getting Windows Event Logs into SOF-ELK, or if SOF-ELK simply isn't the right tool for doing this type of work at scale?

In my current use case I have event logs collected from a Windows Server 2016 via wevtutil epl, in an environment where I control all the audit settings. As such I've confirmed that the expected logging is enabled, and I can see events like 4624 and 4625 on the respective hosts. Running those logs through EvtxECmd and looking at the resulting JSON, I can here also see those events, but when ingested in SOF-ELK, none of them seems to be present. Plenty of other events are there, just not the ones I'm really looking for.

I've tried ingesting the raw Evtx files using https://github.com/blardy/evtx2elk and https://github.com/dgunter/evtxtoelk, resulting in the same issue, so I'm really at a loss as to what is going wrong here.

So how do YOU ingest Evtx when testing the SOF-ELK build?