Using Channel Names in Winlogbeat Config


(Arne Opdal) #1

Is it possible to use Winlogbeat for the "Application and Services Log" types in addition to the eventlog?


(Andrew Kroh) #2

If by "Application and Services Log" you mean log files, then no. That is what Filebeat does so deploy Filebeat and Winlogbeat.

Similar to Winlogbeat and Reading Log Files


(Arne Opdal) #3

The logs I'm thinking about is list by Get-WinEvent -ListLog * using powershell.

In Eventviewer they are listed below the "Windows Logs" which are easily logged by winlogbeat.

The Windows eventlog "Application" are located in %SystemRoot%\System32\Winevt\Logs\Application.evtx
And one which may be nice to get are the Hardwareevent which are located in %SystemRoot%\System32\Winevt\Logs\HardwareEvents.evtx

I'm not a windows man, but it looks like the "Application and Services Log" use the same framwork for logging as the Eventlogs.


(Andrew Kroh) #4

Yes, see the documentation for event_logs.name. Also, there's a script here to generate a config file that reads from all channels.


(Arne Opdal) #5

Thanks!


(Andrew Kroh) #6