Event log rate and indicators

kernelpanic · April 7, 2017, 12:51pm

Hello, I'm about to install Winlogbeat on some of our production servers as part of testing Elastic Stack and I was wondering if Winlogbeat provides any indicator of not being able to keep up with the Windows event log message generation rate i.e. the event logs are generated so fast that Winlogbeat can't collect them quick enough.

I ask because in my previous job we used a proprietary SIEM solution and the agent would have trouble keeping up with the Domain Controller security log which was constantly thrashed - if it couldn't keep up there would be an alert on the console.

Is there anyway Winlogbeat will let me know if it can't keep up with the event log message rate?

Thanks.

andrewkroh · April 7, 2017, 1:21pm

There are no built in alerts. You could create a metric using Logstash that measures message lag. You could measure the difference in the time of receipt to the event creation time in Windows. Another thing you could look for is gaps in the record ID sequence for a given event log.

kernelpanic · April 7, 2017, 1:48pm

Thankyou very much, Logstash metrics seems to be the way to do it.

system · May 5, 2017, 1:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.