Can I ingest specific log files using winlogbeat?

Elastic Stack Beats
1

Hello,

I would just like to ask if I can ingest a specific logfile using Winlogbeat?

If yes, can you provide a structure or link how to do it since I tried researching and no luck finding an answer.

Right now here's my Winlogbeat Specific Options setting

# ======================== Winlogbeat specific options =========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
          when.equals.winlog.channel: Security
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
          when.equals.winlog.channel: Windows PowerShell
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

Sorry I'm just a newbie in ELK.
Thank you.

2

Hi @rrrrrrrrrrr

Welcome to the community. winlogbeat is a specific agent for capturing windows logs. If you want logs from a specific application, you can use filebeat by setting the path of the log you want to collect.

Configure project paths | Filebeat Reference [8.1] | Elastic

Best regards

1 Like
3

Welcome to our community! :smiley: Also, please don't use all caps in topic titles.

Definitely use Filebeat for this, not Winlogbeat.

1 Like
4

Apologies for the title. Thank you for your answer :innocent:

1 Like
5

Thank you for explaining this to me. I just thought that Its possible but yea, your answer makes sense since I'm also using filebeat for another application. :clap:

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.