I have winlogbeat installed on a few desktops and our primary domain controller with all of them pointing to a SecurityOnion server with ELK. If I clear event logs (1102) for example, the event quickly shows up in my Kibana dashboard. Account lockouts though (4740) on the domain or local user accounts do not show up at all, even though they are in my event viewer. Looking at logs in debug mode, I not see an entry in it for the event.
This is my configuration:
winlogbeat.event_logs:
- name: Application
- name: Security
- name: System
I have also tried explicitly setting the event with this config:
winlogbeat.event_logs:
- name: Application
- name: Security
event_id: 4740 - name: System
This returns no events.
Any ideas? I am new to ELK and winlogbeat, so it may be something very obvious that I am missing. Any help would be appreciated.