we have UF on Linux machine and we monitor a directory we upload all evtx file to that directory and index them to the windows machine indexer with no luck.
is it possible to do this or we need to use windows machine as UF.
Thank you.
Evtx files are binary. They can only be opened by the windows event viewer.
You should use wef to forward events to a wef collector, and ingest them on that server with a UF
not sure but i have seen it working. the only limitation is that I am using a Linux box as universal forwarder and the indexer is windows and it can use whatever dll or api is needed to open the evtx file.