Hello guys,
I m trying the following configuration:
winlogbeat.event_logs:
- name: Application
level: critical, error, warning
ignore_older: 48h
- name: Security
event_id: 500-820
level: critical, error, warning, information
ignore_older: 48h
- name: System
level: critical, error, warning
ignore_older: 48h
output.logstash:
hosts:
- 10.1.10.30:5044
logging.to_files: true
logging.files:
path: C:/ProgramData/winlogbeat/Logs
logging.level: info
The level filtering seems to be working, but as soon as I add the event_id range I stop getting any logs.
best,
Lyubo
Are you sure that there is new data coming in that matches your filter? When you add filters like this Winlogbeat creates a query that it passes to Windows such that Windows only sends the matching events. For example, your Security log will use a query like:
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) <= 172800000] and (EventID >= 500 and EventID <= 820) and (Level = 1 or Level = 2 or Level = 3 or Level = 0 or Level = 4)]]</Select>
</Query>
</QueryList>
If you enable debug logging for Winlogbeat it will write these XML queries to the log file. If you want to play with the query more, you can paste it into the Windows Event Viewer and see what it matches. https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/
Hello Andrew,
I think that the actual range was the problem. It seems that I was using outdated information. It seems to work fine with other ranges. For example 4800-4803
Thanks for your clarification.
best,
Lyubo