I found winlogbeat is able to configured to ignore events older since now.
winlogbeat.event_logs: - name: Application ignore_older: 72h - name: Security - name: System
Woundering if it's possible to configure to ignore event before a specific time, like
winlogbeat.event_logs: - name: Application ignore_before: 2020-10-01 12:00:00UTC+8 - name: Security - name: System
We have lots of machines on Cloud, and we are frequently restore them, with above configuration we can specify the time we restored the machine to avoid collecting duplicate events.