How to collect more than 22 event ids with winlogbeat?

Elastic Stack Beats
1

I've got a task to collect over 500 events from DC with winlogbeat. But windows got a limit 22 events to query. I'm using version 6.1.2. I've tried with processors like this:

winlogbeat.event_logs:
  - name: Security
                   
processors:
  - drop_event.when.not.or:
    - equals.event_id: 4618
...

but with these settings client doesn't work, nothing in logs. If I run it from exe file it just starts and stops with no error.
If I try to do like it was written in the official manual:

winlogbeat.event_logs:
  - name: Security
    event_id: ...                
    processors:
      - drop_event.when.not.or:
        - equals.event_id: 4618
...

client just crashes with "invalid event log key processors found". Also I've tried to create new custom view and take event from there, but apparently it also has query limit to 22 events.

2

This will be fixed in Winlogbeat 6.3.0. You can try the snapshot build if you like: https://s3-us-west-2.amazonaws.com/beats-package-snapshots/index.html?prefix=winlogbeat/

As a workaround for the processors error you can try using processors at the top-level and it will apply to all events.

winlogbeat.event_logs:
  - name: Security
          
processors:
- drop_event.when.not.or:
  - equals.event_id: 4618

And don't forget that event_ids supports ranges which might help you slim down the list. Like event_ids: 1-99, 4000-5000, !4889.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.