I’ll look for it. Trying to judege what method is best, OSquery wrote to windoes eventlog and use winlog beat to pick it up with the rest of my eventlogs, osquery read eventlogs and write them to osqueryd.results.log and pick it up with filebeat, or send to kafka direct from osquery.

Honestly you should consider WEC if you're looking for something resilient and scalable.

I agree WEC/WEF is a good idea but it doesnt fit our existing log forwarding infrastructure and time time and cost to get that going seems prohibitive when I have 3 tools (and probably more if I did an audit) on the boxes that already ship logs and two do it extremely efficiently. I just don’t see a win in setting up the size of infrastructure I’d need. But good suggestion, just doesn’t fit my environment