Is it possible to filter the Windows Event Logs on severity? I couldn't find anything about it in the Winlogbeat documentation. I know I can filter it in logstash, but I'd like to filter before sending it over the wire.
Anyone?
Hi @renevdm, sorry I missed your original message. It is not currently possible to filter on severity. Beats will be adding a generic filtering mechanism that can be used for this, see the discussion here https://github.com/elastic/beats/issues/451.
I am also open to implementing (or accepting a PR) to add a severity filter directly in Winlogbeat. This would modify the query used to retrieve events from the Windows API. It would save a few CPU cycles because the events would be dropped earlier. Issue 465 mentions a severity filter among other features.
Thanks @andrewkroh! I'll dive into those topics, looks good and promising! 
There is also a feature request to enable the use of the Windows XML XPath queries. https://github.com/elastic/beats/issues/1054
Also would be helpful to be able to filter on event log keywords e.g. "Audit Failure".
1 Like
DOES anyone know how to change the path location for where Winlogbeat looks for event Logs? I have event logs from a remote host copied to my local machine and want to leverage WINLLOGBEAT to index my archived logs. I don't see it anywhere in the DOCS.