Hello,
I have a question about WinlogBeat, I've installed and configured it and all is working perfectly, my question is:
How is WinlogBeat working ? I currently see all the logs about all the users in the network, isn't it supposed to be local because I installed it only in my pc or maybe it is because I'm in a domain AD? Then, how can I see only the logs about my pc ?
Regards.
How and where have you configured your winlogbeat.yml to read logs from?
Depending on what event logs are coming into that machine I would expect all application, security, audit, etc, to be collected.
I just have this:
winlogbeat.event_logs:
- name: Security
ignore_older: 168h
output.logstash:
hosts: ["localhost:5044"]From research it looks like windows security event logs collect the full EVID 4000-6000 list. I imagine if the security event logs pertain to a domain then you will have account logon, account management, detailed tracking, ds access, logon/logoff, object access, policy change, privilege use and system events in there.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.