Collecting powershell logs with the old beat version

Anna_Foxx · March 29, 2021, 9:08am

Hi!

In order to collect powershell logs by winlogbeat 6.8, I tried to change config file just adding 2 rows under

winlogbeat.event_logs:
-name: Windows Powershell
-name: Microsoft-Windows-Powershell/Operational

Unfortunately, as a result, I see powershell logs only from system. Has anybody faced with this issue?

andrewkroh · March 30, 2021, 2:15pm

Does the winlogbeat log contain any warnings or errors?

I notice a case issue with the names. Powershell should be PowerShell. Maybe that's the issue.

  - name: Windows PowerShell
  - name: Microsoft-Windows-PowerShell/Operational

system · April 27, 2021, 4:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat and Scheduled Task Logs (or others) Beats winlogbeat	5	2294	July 17, 2018
WinlogBeat DNS analytical log capture Beats winlogbeat	2	3911	March 9, 2019
Using Channel Names in Winlogbeat Config Beats winlogbeat	5	2049	April 12, 2016
Winlogbeat service stopped automaticly Beats windows , winlogbeat	3	1083	November 1, 2020
Can winlogbeat works with powershell version 2? Beats winlogbeat	3	1034	August 5, 2016