Using Channel Names in Winlogbeat Config

(Arne Opdal) #1

Is it possible to use Winlogbeat for the "Application and Services Log" types in addition to the eventlog?

(Andrew Kroh) #2

If by "Application and Services Log" you mean log files, then no. That is what Filebeat does so deploy Filebeat and Winlogbeat.

Similar to Winlogbeat and Reading Log Files

(Arne Opdal) #3

The logs I'm thinking about is list by Get-WinEvent -ListLog * using powershell.

In Eventviewer they are listed below the "Windows Logs" which are easily logged by winlogbeat.

The Windows eventlog "Application" are located in %SystemRoot%\System32\Winevt\Logs\Application.evtx
And one which may be nice to get are the Hardwareevent which are located in %SystemRoot%\System32\Winevt\Logs\HardwareEvents.evtx

I'm not a windows man, but it looks like the "Application and Services Log" use the same framwork for logging as the Eventlogs.

(Andrew Kroh) #4

Yes, see the documentation for Also, there's a script here to generate a config file that reads from all channels.

(Arne Opdal) #5


(Andrew Kroh) #6