Hi
How can i filter by EventSource, the events are sent from one of our custom applications and i wanted to log only those messages but not all messages for "Application"
for example i want to send the messages only from "Outlook" which is one the "Source" from the below screenshot
Thank you Andrew
Does it need any prior configuration settings, the service is starting successfully but i am not seeing any logs pushed
i am using it as shown below, as i mentioned earlier i am using provider name defined from one of our custom applicaiton
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
provider:
- CustomProviderWhat you are showing is correct. Could it be that Winlogbeat has already sent all those records? If you remove the C:\ProgramData\winlogbeat\.winlogbeat.yml file it will resend all those from the last 72h.
Another debugging option is to run Winlogbeat with debug on.
logging.level: debug
logging.selectors: [eventlog]
Then take the XML query from the line that says "using subscription query=" and try it in the Windows Event Viewer as a custom view (Advanced XML filtering in the Windows Event Viewer | Microsoft Learn).
Thank you it worked
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.