Hi
How can i filter by EventSource, the events are sent from one of our custom applications and i wanted to log only those messages but not all messages for "Application"
for example i want to send the messages only from "Outlook" which is one the "Source" from the below screenshot
With the provider config option.
winlogbeat.event_logs:
- name: Application
provider:
- Outlook
Thank you Andrew
Does it need any prior configuration settings, the service is starting successfully but i am not seeing any logs pushed
i am using it as shown below, as i mentioned earlier i am using provider name defined from one of our custom applicaiton
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
provider:
- CustomProviderWhat you are showing is correct. Could it be that Winlogbeat has already sent all those records? If you remove the C:\ProgramData\winlogbeat\.winlogbeat.yml file it will resend all those from the last 72h.
Another debugging option is to run Winlogbeat with debug on.
logging.level: debug
logging.selectors: [eventlog]
Then take the XML query from the line that says "using subscription query=" and try it in the Windows Event Viewer as a custom view (Advanced XML filtering in the Windows Event Viewer | Microsoft Learn).
Thank you it worked
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.