Hi!
In order to collect powershell logs by winlogbeat 6.8, I tried to change config file just adding 2 rows under
winlogbeat.event_logs:
-name: Windows Powershell
-name: Microsoft-Windows-Powershell/Operational
Unfortunately, as a result, I see powershell logs only from system. Has anybody faced with this issue?
Does the winlogbeat log contain any warnings or errors?
I notice a case issue with the names. Powershell should be PowerShell. Maybe that's the issue.
- name: Windows PowerShell
- name: Microsoft-Windows-PowerShell/Operational
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.