Monitoring Multiple Windows Event Channels with Custom Event Logs in ELK Stack

ValentinL · February 27, 2025, 8:29am

Hello everyone,

I have an ELK stack to monitor various Windows events. I monitor my agents with the Fleet server and integrations.

I frequently use the "Custom Windows Event Logs" to target specific Event IDs I need.

I want to know if it's possible to target IDs from different channels, i.e., "Security" and "System"?

Thank you for your help!

Tortoise · March 2, 2025, 8:24am

Hi,

I think we can use

event_logs:

name: Security
event_id: [4624, 4634, 4672] # Successful login, logout, admin login
name: System
event_id: [6005, 6006, 1074] # Event log started, stopped, system shutdown

winlog.channel The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration. keyword

Thanks!!

Topic		Replies	Views
Filter and tag windows event logs on logstash Beats winlogbeat	1	456	May 12, 2018
Help with collecting Custom Windows Event Logs with Elastic Agent Logs	1	1580	February 18, 2022
Logstash Windows events pattern Logstash	2	423	February 8, 2018
Reporting Windows Security Events in Kibana Beats winlogbeat	4	5418	April 12, 2016
Elastic Agent Custom Windows Event Logs Beats winlogbeat	5	3662	June 15, 2022

Monitoring Multiple Windows Event Channels with Custom Event Logs in ELK Stack

Related topics