Can I filter the logs using event IDs?

(Thy Fere) #1


I am shipping auditing logs from Windows boxes to Elasticsearch server. I want to ship only auditing logs from the computer, how can I do it using Winlogbeat?

(Harry) #2

You can use something like this (in version 5):

winlogbeat: event_logs: - name: Security include_xml: true level: info event_id: 4624, 4625, 4648, 4735, 4728, 4732, 4756, 4740 provider: - Microsoft-Windows-Security-Auditing

You can also check this post Winlogbeat - Select events by level, event_id, and provider #1218

(Andrew Kroh) #3

See the event_logs.event_id documentation for version 5.

(Andrew Kroh) #4