Using eql to query for custom log

lusynda · February 22, 2022, 4:53am

Hi all,
I have question on the ability to query data for eql,
Can eql be used to query for any log source other than from elastic-agent or winlogbeat.
For example: i use filebeat to collect log from iis server then put them thourgh logstash to process and then index them to elastic. I have indexed them in ecs format so it will be compatible to eql, but then how to i query that iis log using eql.
All i can see from the document are how to query data from winlogbeat or elastic-agent. And not from different source.

Thanks for your time.

sholzhauer · February 23, 2022, 5:20pm

It is the same as querying winlogbeat or the logs-* indices.

You have to specify the index in which your logs live and build your query.
EQL does have some requirements, for example an event.category must be present.
However that one can be circumvented by using any.

system · March 23, 2022, 5:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with EQL queries Elasticsearch	1	323	October 26, 2020
What is the point of using EQL to correlate log? Elasticsearch eql-elastic-query-language	2	619	February 15, 2022
Elastic Query for alerts Windows Elasticsearch	1	316	February 1, 2022
EQL: Why basic query is different from dataset SIEM	6	565	November 12, 2020
EQL syntax error? Elastic Security eql-elastic-query-language	4	1475	July 28, 2021

Using eql to query for custom log

Related Topics