Try to take only log from on application

Hello everyone,

I can catch every log from the computer but I just want the log from one application. I try to make that with the processors on Winlogbeat.

  1. It's is possible ?
  2. Did I have to do that with a filter on Logstash ?

Here it's what I catch with the logbeat.

Actualy It's what I have from the cmd line:

Exiting: error initializing processors: failed to initialize condition: missing or invalid condition

And here is my Winlogbeat processors

    processors:
    - include_fields:
        when:
          winlog.event_data.ProcessName: 'C:\Program Files (x86)\Microsoft Dynamics NAV\110\RoleTailored Client\Microsoft.Dynamics.Nav.Client.exe'
        fields: [message, winlog.event_data.ProcessName, winlog.event_data.SubjectUserName]

Kind of regards.
Romain

PS: I'm sorry for my english skill

Hey @Roms,

One thing you can do is to filter out all events you are not interested in, for example with something like this:

processors:
  - drop_event:
      when:
        equals.winlog.event_data.ProcessName: 'C:\Program Files (x86)\Microsoft Dynamics NAV\110\RoleTailored Client\Microsoft.Dynamics.Nav.Client.exe'

Hello,

I'm using this configuration on the winlogbeat agent to send specific events (4624 and 4625) generated by an application (Azure AD Connect PTA agent).
I'm using a drop_event processor.

This will drop every collected events that are not sent by my application.

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624,4625

processors:
- drop_event.when.not.equals.winlog.event_data.ProcessName: 'C:\Program Files\Microsoft Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe'

Regards,

Hey everyone,

Thank you for your answers.
I have already tried @jsoriano solution.
I'll see if your proposal could also work with my problem. (event_id and the ignore_older)
I managed to get what I wanted in Kiabana by using KQL and isolating the logs. Which seems to be enough for what we're doing.

My only fear is that I'll end up with a log overflow.

I thank you for your answer the topic can be closed.