I have a question about WinlogBeat, I've installed and configured it and all is working perfectly, my question is:
How is WinlogBeat working ? I currently see all the logs about all the users in the network, isn't it supposed to be local because I installed it only in my pc or maybe it is because I'm in a domain AD? Then, how can I see only the logs about my pc ?
How and where have you configured your winlogbeat.yml to read logs from?
Depending on what event logs are coming into that machine I would expect all application, security, audit, etc, to be collected.
From research it looks like windows security event logs collect the full EVID 4000-6000 list. I imagine if the security event logs pertain to a domain then you will have account logon, account management, detailed tracking, ds access, logon/logoff, object access, policy change, privilege use and system events in there.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.