Is it possible to filter the Windows Event Logs on severity? I couldn't find anything about it in the Winlogbeat documentation. I know I can filter it in logstash, but I'd like to filter before sending it over the wire.
Hi @renevdm, sorry I missed your original message. It is not currently possible to filter on severity. Beats will be adding a generic filtering mechanism that can be used for this, see the discussion here https://github.com/elastic/beats/issues/451.
I am also open to implementing (or accepting a PR) to add a severity filter directly in Winlogbeat. This would modify the query used to retrieve events from the Windows API. It would save a few CPU cycles because the events would be dropped earlier. Issue 465 mentions a severity filter among other features.
There is also a feature request to enable the use of the Windows XML XPath queries. https://github.com/elastic/beats/issues/1054
Also would be helpful to be able to filter on event log keywords e.g. "Audit Failure".
DOES anyone know how to change the path location for where Winlogbeat looks for event Logs? I have event logs from a remote host copied to my local machine and want to leverage WINLLOGBEAT to index my archived logs. I don't see it anywhere in the DOCS.