[HELP winlogbeat.yml] How to send Removable storage logs to Elasticsearch

YUUTA.INOUE-JPN · October 10, 2023, 12:54pm

Hello from Japan
I have a question for you respected engineers.
I am an inexperienced Japanese engineer with Elastic search.
I have installed winlogbeat on my Windows PC and have built an environment to send Windows logs to elasticsearch for analysis by kibana.

I want to send Removable storage logs to Elasticsearch.
I confirmed that Event ID 4663 in the security item in the Windows event viewer is a removable storage log.
So I created and implemented a yml file like the one below.

winlogbeat.event_logs:
   - name: Security
     event_id: 4663

However, Event ID 4663 also outputs logs other than USB.
In addition, it is known that this yml file also sends logs other than Removable storage to Elasticsearch.

How should I write the yml to send logs to Elasticsearch with the event ID 4663 and task category Removable Storage in the Windows Event viewer?

I would like help from all of you respected ELASTIC engineers.

I await your replies and information.
Thank you

andrewkroh · October 10, 2023, 4:00pm

If you are only interested in that one event with a particular attribute then I recommend to go the advanced route with a XML query. See Configure Winlogbeat | Winlogbeat Reference [8.10] | Elastic.

Use the Windows Event Viewer to create a custom view that only includes the specific logs that you want. Then put that view's XML query into the config file.

Advanced XML filtering in the Windows Event Viewer - Microsoft Community Hub has good examples too.

system · November 7, 2023, 6:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.