Filtering by event id


#1

Hello guys,

I m trying the following configuration:

winlogbeat.event_logs:
  - name: Application
    level: critical, error, warning
    ignore_older: 48h
  - name: Security
    event_id: 500-820
    level: critical, error, warning, information
    ignore_older: 48h
  - name: System
    level: critical, error, warning
    ignore_older: 48h

output.logstash:
  hosts:
    - 10.1.10.30:5044

logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
logging.level: info

The level filtering seems to be working, but as soon as I add the event_id range I stop getting any logs.

best,

Lyubo


(Andrew Kroh) #2

Are you sure that there is new data coming in that matches your filter? When you add filters like this Winlogbeat creates a query that it passes to Windows such that Windows only sends the matching events. For example, your Security log will use a query like:

<QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 172800000] and (EventID &gt;= 500 and EventID &lt;= 820) and (Level = 1 or Level = 2 or Level = 3 or Level = 0 or Level = 4)]]</Select>
  </Query>
</QueryList>

If you enable debug logging for Winlogbeat it will write these XML queries to the log file. If you want to play with the query more, you can paste it into the Windows Event Viewer and see what it matches. https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/


#3

Hello Andrew,

I think that the actual range was the problem. It seems that I was using outdated information. It seems to work fine with other ranges. For example 4800-4803

Thanks for your clarification.

best,

Lyubo


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.