hi, im using winlogbeat 6.7.1 version for collecting event logs. I have a lot of application witch all starts with the same name on the beginning and it will be very useful to filter application by using application name and *.
For example:
winlogbeat.event_logs:
- name: Application
provider:
- docker*
Please suggest me another solution, thanks
Wildcards are not supported in Winlogbeat's configuration. You could open an enhancement request on GH to make sure it's not forgotten: https://github.com/elastic/beats/issues/new?template=feature-request.md
The provider filter is built on the XML filtering that Windows supports. There is no support for wildcards or xpath functions like startswith or contains hence Winlogbeat doesn't support them with the provider setting.
More details about the filtering capabilities in https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
