Hello I wanted to know if it's possible to add a filter in winlogbeat to only have the activity of a specific folder and all it's files inside it, and itself by the way if the folder is renamed, deleted or something else.
For example I filtered all winlogbeat data with :
-
One host (host.ip) ip of the server where I created a share folder with an file audit on to get the logs in the event viewer.
-
One kind of event.codes : 4663 (An attempt was made to access an object)
-
Where this happened (winlog.event_data.ObjectName) which is the path to the file or folder (the object) where something happened
-
Maybe the action in the "message" field like DELETE for example
I can do this for each files but not all files like * after the folder path C:\Program Files\Test ELK\*
And it doesn't works with "*" after the "\"
I also tried this but the query isn't accepted