Hey everyone,
I am sending my logs from a windows node using winlogbeat and sysmon64 to my ELK stack.
While in discover panel in kibana I can see my logs with different events ID of sysmon, but I have noticed that the event ID 3 for new connections is not working (I have made a test using RDP).
When I have checked on the doc, they say that it's disabled by default.
How can I enable it ???
Thanks
That is really a sysmon question not a winlogbeat question.
Hi @yassinebad
If you do a search, there's plenty of articles on how to configure sysmon
Example and that's when I believe has ID3 enabled
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.