Filtering Winlogbeat Events


(Rene) #1

Is it possible to filter the Windows Event Logs on severity? I couldn't find anything about it in the Winlogbeat documentation. I know I can filter it in logstash, but I'd like to filter before sending it over the wire.


Filtering Winlogbeat on Event ID
(Rene) #2

Anyone?


(Andrew Kroh) #3

Hi @renevdm, sorry I missed your original message. It is not currently possible to filter on severity. Beats will be adding a generic filtering mechanism that can be used for this, see the discussion here https://github.com/elastic/beats/issues/451.

I am also open to implementing (or accepting a PR) to add a severity filter directly in Winlogbeat. This would modify the query used to retrieve events from the Windows API. It would save a few CPU cycles because the events would be dropped earlier. Issue 465 mentions a severity filter among other features.


(Rene) #4

Thanks @andrewkroh! I'll dive into those topics, looks good and promising! :slight_smile:


(Andrew Kroh) #5

There is also a feature request to enable the use of the Windows XML XPath queries. https://github.com/elastic/beats/issues/1054


(Jim Jepson) #6

Also would be helpful to be able to filter on event log keywords e.g. "Audit Failure".


(Jeriel20) #7

DOES anyone know how to change the path location for where Winlogbeat looks for event Logs? I have event logs from a remote host copied to my local machine and want to leverage WINLLOGBEAT to index my archived logs. I don't see it anywhere in the DOCS.


(system) #8