Windows Elastic Agent System Integration not pulling Security or Application events

I have an Elastic Agent installed on a Windows Server and I've configured the system integration to pull Application, System, and Security logs. Only System logs are being collected and I can't find anything that indicates why this might be happening.

This is an Elastic Cloud instance and support hasn't been any help. Hoping someone might have ideas.

Try looking at the log files from Elastic Agent to see if there are any errors. We have a troubleshooting guide here Troubleshoot common problems | Fleet and Elastic Agent Guide [8.0] | Elastic

I'm noticing some differences using elastic agent compared to winlogbeat. I had the same perception when trying to look up audit logs.

I got around using winlogbeat with sysmon and enabling powershell logs. the Elastic agent, maintains threat detection and server metrics.

Take a look at this tutorial - Gathering Windows, PowerShell and Sysmon Events with Winlogbeat – ELK 7 – Windows Server 2016 (Part II)

Thanks for the input. I was able to get this working using the custom Windows Event Log integration and manually pointing it to the security log.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.