Logs WinlogBeat

Hello,

I have a question about WinlogBeat, I've installed and configured it and all is working perfectly, my question is:
How is WinlogBeat working ? I currently see all the logs about all the users in the network, isn't it supposed to be local because I installed it only in my pc or maybe it is because I'm in a domain AD? Then, how can I see only the logs about my pc ?

Regards.

How and where have you configured your winlogbeat.yml to read logs from?
Depending on what event logs are coming into that machine I would expect all application, security, audit, etc, to be collected.

I just have this:

winlogbeat.event_logs:
  - name: Security
    ignore_older: 168h

output.logstash:
  hosts: ["localhost:5044"]

From research it looks like windows security event logs collect the full EVID 4000-6000 list. I imagine if the security event logs pertain to a domain then you will have account logon, account management, detailed tracking, ds access, logon/logoff, object access, policy change, privilege use and system events in there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.