Issues with additional event logs enabled

Hello,

I am trying to get events from two separate logs on our domain controllers, and just realized today that the entire Security log was not being sent to Kibana by winlogbeat after I tried to send events from a second log. (The second log was sending to Kibana, but nothing from Security).

Here is an example of what I was using for the config:

winlogbeat.event_logs:
- name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- drop_event.when.not.or:
#EventID: 4625 An account failed to logon
- equals.winlog.event_id: 4625
#EventID: 4723 An attempt was made to change an account's password
- equals.winlog.event_id: 4723

<I have about 30 additional event ids I am pulling but only including the first couple events above>

Below that, I have this:

- name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: 10012
# Event ID: 10013 PasswordSetErrors
- equals.winlog.event_id: 10013
# Event ID: 10014 PasswordChangesValidated
- equals.winlog.event_id: 10014
# Event ID: 10015 PasswordSetsValidated
- equals.winlog.event_id: 10015

It was only pulling in the events from the Microsoft-AzureADPasswordProtection-DCAgent/Admin log, and all Security events weren't being pulled in.

I tried just pulling in all MIcrosoft-AzureADPasswordProtection-DCAgent/Admin logs by using only:
- name: Microsoft-AzureADPasswordProtection-DCAgent/Admin

But I just get errors saying an expected key was missing.

If I move it up above Security, then I get all of the security events, but nothing from the Azure logs. I'm not sure what's going on:

- name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
- name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- drop_event.when.not.or:
#EventID: 4625 An account failed to logon
- equals.winlog.event_id: 4625
#EventID: 4723 An attempt was made to change an account's password
- equals.winlog.event_id: 4723
`

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.