I have what appears to be a very simple question.
I wish to add the MSExchange Management event log to the winlogbeat configuration file.
get-eventlog shows it as
MSExchange Management
I added it as -name MSExchange Management and restarted the winlogbeat service on the server. Everything works fine except this event log is not showing up.
Have I missed something?
Thanks
Wil
Can you please post the configuration that you are using. And please check the log file for warnings or errors.
Here you go.
Config:
winlogbeat.event_logs:
output.logstash:
hosts: ["10.91.50.100:5044"]
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
#ssl.certificate: "/etc/pki/client/cert.pem"
#ssl.key: "/etc/pki/client/cert.key"
Log file:
2017-03-31T09:27:53-04:00 INFO EventLog[MSExchange Management] Successfully published 1 events
2017-03-31T09:27:54-04:00 INFO EventLog[Security] Successfully published 5 events
2017-03-31T09:27:56-04:00 INFO EventLog[Security] Successfully published 4 events
2017-03-31T09:27:58-04:00 INFO EventLog[Security] Successfully published 8 events
2017-03-31T09:28:01-04:00 INFO EventLog[Security] Successfully published 17 events
2017-03-31T09:28:02-04:00 INFO EventLog[Security] Successfully published 16 events
2017-03-31T09:28:02-04:00 INFO EventLog[MSExchange Management] Successfully published 1 events
2017-03-31T09:28:04-04:00 INFO EventLog[Security] Successfully published 15 events
Says 1 event published, but can't see it in Kibana.
Actually this is an ID10T error - i only had this on one server and my filters were wrong - duh - everything works
thanks
Wil
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.