I found winlogbeat is able to configured to ignore events older since now.
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
Woundering if it's possible to configure to ignore event before a specific time, like
winlogbeat.event_logs:
- name: Application
ignore_before: 2020-10-01 12:00:00UTC+8
- name: Security
- name: System
We have lots of machines on Cloud, and we are frequently restore them, with above configuration we can specify the time we restored the machine to avoid collecting duplicate events.