I'm using this configuration on the winlogbeat agent to send specific events (4624 and 4625) generated by an application (Azure AD Connect PTA agent).
I'm using a drop_event processor.
This will drop every collected events that are not sent by my application.
Thank you for your answers.
I have already tried @jsoriano solution.
I'll see if your proposal could also work with my problem. (event_id and the ignore_older)
I managed to get what I wanted in Kiabana by using KQL and isolating the logs. Which seems to be enough for what we're doing.
My only fear is that I'll end up with a log overflow.
I thank you for your answer the topic can be closed.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.