Can what types of logs are taken from winlogbeat

(Dv Thiyanesh) #1

I have doubt i have to take logs from one windows machine main criteria is I want a log that has information URL Access and use drive access and print access
for that i want use which types of beat either winlogbeat is enough or filebeat

  1. i have used winlogbeat but it gives only the information about booting and os information
    but i need the logs of those?
    what can i do?

  2. i one scenario we have 100 client and it has beat from that client we take the log and send it to only one logstash on a server machine doing this the network gets slow it send huge logs for that we can take the specific log from the machine using beat?
    there is any idea about it?

(Andrew Kroh) #2

There are many different Windows event logs providing all kinds of details about what the operating system and users are doing. Some of those logs may require additional GPO settings to enable more detailed audit logging. If you want anything more than the events from the Application, System, and Security event logs then you must add those logs to your Winlogbeat configuration file.

Beyond what Windows natively writes to the event logs, there are tools such as Sysmon that collect great deal of information about the system and write it to an event logs. You can then use Winlogbeat to collect these events.

You'll need to research the event logs to see if there are events reported for the specific actions that you are interested in. If you can provide more details about what you want to monitor I can see if I can find anything.

I don't fully understand this question. You can apply filters on Winlogbeat side to limit the events that are sent to LS. You can also run more than LS instance and configure Winlogbeat to load balance between them. Or you can front the LS instances with a TCP load balancer.