Good Afternoon. I have now been using and testing Elastic Stack for over a month and have been able to get pretty far in it. I am working with WinLogBeats, FileBeats and MetricBeats (All at version 7.12.1)now and one of the SRTMs that I need to answer is the ability to monitor account creation/deletion.
To that end I have created a new user account on my test machine. I know the time and date that I created the account, I have the Event Viewer log with the information regarding the process name, the Log group (Security) and the event id.
in terms of ELK configuration I have the xpack.monitoring.collection.enabled;
xpack.security.enabled; (in ElasticSearch.yml)
xpack.security.authc.api_key.enabled (in ElasticSearch.yml)
WinLogBeats is running and generating data every day. I am trying to run a code similar to the following, but I know I am missing something that will bring up the information I am looking for.
I have tried multiple combinations and cannot get any data.
If anyone can point me in the direction I should be going it would be greatly appreciated.