we have Wazuh installed in our development lab. We have a few critical type systems that will not/cannot have the agent installed and that we will need the windows event logs pulled from into logstash, from some brief reading we thought we could accomplish this via wmi and the wmi plug-in you provide for logstash. Looking through online documentation there is not much around how to implement that. If you could assist with that would be great. Is that the preferred way to do it without an agent? Or can we setup forwarding on the agentless systems to accept the events in logstash?
already looked at the below link and put the configuration into /etc/logstash/conf.d/winsystem.conf, is there a specific syntax to grab windows event logs? Is there any other requirements needed on the windows host or logstash server?
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-wmi.html