The vast majority of useful logging on Windows is now in the ETW style trace logs. These are visible in Event Viewer under the "Applications and Service Logs". Can Heartbeat gather and ship these logs?
I ask because the documentation says to use Powershell command "get-eventlog *" to view a list of event logs. This command will only list old style event logs and not the newer ETW trace style, to list the newer style logs - you should use "get-winevent -listlog *"
Have you see this: https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html#configuration-winlogbeat-options-event_logs-name
Winlogbeat can read the logs listed by Get-WinEvent -ListLog *.
Only Analytic and Debug logs are based on ETW and Winlogbeat cannot read those. Analytic and Debug logs are disabled and hidden by default in event viewer.
There has been a request to add a feature in Beats for ETW. https://github.com/elastic/beats/issues/2073
Thankyou @andrewkroh - No i hadn't seen that and feel slightly embarrassed as its in the offical docs!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.