Event log rate and indicators

kernelpanic · April 7, 2017, 12:51pm

Hello, I'm about to install Winlogbeat on some of our production servers as part of testing Elastic Stack and I was wondering if Winlogbeat provides any indicator of not being able to keep up with the Windows event log message generation rate i.e. the event logs are generated so fast that Winlogbeat can't collect them quick enough.

I ask because in my previous job we used a proprietary SIEM solution and the agent would have trouble keeping up with the Domain Controller security log which was constantly thrashed - if it couldn't keep up there would be an alert on the console.

Is there anyway Winlogbeat will let me know if it can't keep up with the event log message rate?

Thanks.

andrewkroh · April 7, 2017, 1:21pm

There are no built in alerts. You could create a metric using Logstash that measures message lag. You could measure the difference in the time of receipt to the event creation time in Windows. Another thing you could look for is gaps in the record ID sequence for a given event log.

kernelpanic · April 7, 2017, 1:48pm

Thankyou very much, Logstash metrics seems to be the way to do it.

system · May 5, 2017, 1:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat unable to keep up with AD security logs Beats winlogbeat	1	387	January 21, 2021
Winlogbeat performance Beats winlogbeat	1	407	February 17, 2023
Winlogbeat loses some events from Microsoft-IIS-Logging/Logs Beats windows , winlogbeat	2	1939	May 15, 2020
Trying to get some more throughput from Winlogbeat Beats winlogbeat	2	544	February 5, 2018
Monitoring winlogbeat service Beats winlogbeat	1	346	August 27, 2019

Event log rate and indicators

Related Topics