Hi all,
Total noob here with Elastic, so hopefully you can help.
I'm running a Graylog server which uses elastic backend, and have winlogbeat installed on all PCs via the Graylog Collector Sidecar.
My current config is:
winlogbeat.event_logs:
- name: System
level: critical, error, warning - name: Security
level: critical, error, warning - name: Application
level: critical, error, warning
This works fine.
I'm looking to be able to also capture SOME informational event IDs, such as account logons/logoffs.
In order to do this, I want to effectively say:
winlogbeat.event_logs:
- name: System
level: critical, error, warning - name: Security
level: critical, error, warning
AND event ID's 4264 and 4634 - name: Application
level: critical, error, warning
Is this possible?
Thanks,
Matt Dobson