Filtering Winlogbeat Events

Is it possible to filter the Windows Event Logs on severity? I couldn't find anything about it in the Winlogbeat documentation. I know I can filter it in logstash, but I'd like to filter before sending it over the wire.

Anyone?

Hi @renevdm, sorry I missed your original message. It is not currently possible to filter on severity. Beats will be adding a generic filtering mechanism that can be used for this, see the discussion here https://github.com/elastic/beats/issues/451.

I am also open to implementing (or accepting a PR) to add a severity filter directly in Winlogbeat. This would modify the query used to retrieve events from the Windows API. It would save a few CPU cycles because the events would be dropped earlier. Issue 465 mentions a severity filter among other features.

Thanks @andrewkroh! I'll dive into those topics, looks good and promising! :slight_smile:

There is also a feature request to enable the use of the Windows XML XPath queries. https://github.com/elastic/beats/issues/1054

Also would be helpful to be able to filter on event log keywords e.g. "Audit Failure".

1 Like

DOES anyone know how to change the path location for where Winlogbeat looks for event Logs? I have event logs from a remote host copied to my local machine and want to leverage WINLLOGBEAT to index my archived logs. I don't see it anywhere in the DOCS.