Hello, I would like to send only active directory logs with specific Id from logstash to Elasticsearch. Please! What config do I need to do at logstash configuration file to achieve this? example of event_Id:"4625"===> "An account failed to log on", thanks!!!!

Filter Active Directory logs

wwalker (Walker) March 15, 2018, 7:43pm 3

Use the Winlogbeat Beats agent. You can specify which logs and event IDs you'd like to have sent over.

winlogbeat.event_logs:
  - name: Security
    event_id: 4624, 4625, 4700-4800, -4735

1 Like

Topic		Replies	Views
Drop entire log if condition is met Logstash	3	764	July 6, 2017
Logstash input with filtered output Logstash	9	577	April 9, 2021
Can I filter the logs using event IDs? Beats winlogbeat	3	4650	April 12, 2016
Outputting logs to specific index depending on log_name Logstash	1	505	January 5, 2019
Filtering Winlogbeat on Event ID Beats winlogbeat	8	10130	July 5, 2017