Help with collecting Custom Windows Event Logs with Elastic Agent

Hello everyone!

A very rudimentary question I think, but haven't been able to find clarification myself. I am still very much getting to grips with the platform, and logging itself, so apologies if it is a really obvious question.

We currently have a small amount of pilot machines with Elastic Agent installed and managed via Fleet, these are currently collecting Windows Event logs via the System integration - This is working fine.

I have been asked to now configure this policy so the following are picked up:
Applications and Services > Microsoft > Windows > AppLocker > EXE and DLL
Applications and Services > Microsoft > Windows > AppLocker > MSI and Script

I assume this would be done via the Custom Windows Event Logs integration, we aren't currently logging anything AppLocker related so I've installed the Integration and done some testing/ tinkering with:

First thing I've noticed is that it doesn't work unless I choose the specific channel i.e. Microsoft-Windows-PowerShell doesn't work but Microsoft-Windows-PowerShell/Operational does.

Is there a way to include multiple channels within the one integration? Or would the practice be to have one integration for Microsoft-Windows-AppLocker/EXE and DLL and one for Microsoft-Windows-AppLocker/MSI and Script

Secondly, Event IDs have to specified. We want to collect everything logged so I did test doing a "*" but this didn't work. Including the specific Event IDs did work but this is not an ideal solution, I did use what felt like a fairly inelegant solution of 1-100000 which looks to work in capturing all the events logged. What is the best practice here?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.