Using eql to query for custom log

lusynda · February 22, 2022, 4:53am

Hi all,
I have question on the ability to query data for eql,
Can eql be used to query for any log source other than from elastic-agent or winlogbeat.
For example: i use filebeat to collect log from iis server then put them thourgh logstash to process and then index them to elastic. I have indexed them in ecs format so it will be compatible to eql, but then how to i query that iis log using eql.
All i can see from the document are how to query data from winlogbeat or elastic-agent. And not from different source.

Thanks for your time.

sholzhauer · February 23, 2022, 5:20pm

It is the same as querying winlogbeat or the logs-* indices.

You have to specify the index in which your logs live and build your query.
EQL does have some requirements, for example an event.category must be present.
However that one can be circumvented by using any.

system · March 23, 2022, 5:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.