Hi,
I am shipping auditing logs from Windows boxes to Elasticsearch server. I want to ship only auditing logs from the computer, how can I do it using Winlogbeat?
You can use something like this (in version 5):
winlogbeat:
event_logs:
- name: Security
include_xml: true
level: info
event_id: 4624, 4625, 4648, 4735, 4728, 4732, 4756, 4740
provider:
- Microsoft-Windows-Security-Auditing
You can also check this post Winlogbeat - Select events by level, event_id, and provider #1218
See the event_logs.event_id documentation for version 5.