Hello,
I am trying to get events from two separate logs on our domain controllers, and just realized today that the entire Security log was not being sent to Kibana by winlogbeat after I tried to send events from a second log. (The second log was sending to Kibana, but nothing from Security).
Here is an example of what I was using for the config:
winlogbeat.event_logs:
- name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- drop_event.when.not.or:
#EventID: 4625 An account failed to logon
- equals.winlog.event_id: 4625
#EventID: 4723 An attempt was made to change an account's password
- equals.winlog.event_id: 4723
<I have about 30 additional event ids I am pulling but only including the first couple events above>
Below that, I have this:
- name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: 10012
# Event ID: 10013 PasswordSetErrors
- equals.winlog.event_id: 10013
# Event ID: 10014 PasswordChangesValidated
- equals.winlog.event_id: 10014
# Event ID: 10015 PasswordSetsValidated
- equals.winlog.event_id: 10015
It was only pulling in the events from the Microsoft-AzureADPasswordProtection-DCAgent/Admin log, and all Security events weren't being pulled in.
I tried just pulling in all MIcrosoft-AzureADPasswordProtection-DCAgent/Admin logs by using only:
- name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
But I just get errors saying an expected key was missing.
If I move it up above Security, then I get all of the security events, but nothing from the Azure logs. I'm not sure what's going on:
- name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
- name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- drop_event.when.not.or:
#EventID: 4625 An account failed to logon
- equals.winlog.event_id: 4625
#EventID: 4723 An attempt was made to change an account's password
- equals.winlog.event_id: 4723
`