I am using the following architecture:
Central event Collector(CEC) (With winlogbeat and filebeat)-->>>Ingest Nodes-->>>Data Nodes-->>>Kibana. The CEC is a windows server and is configured to push all security events. For testing purposes, I stopped the event log services which generated a series of events which can be seen in the event viewer. After the service is resumed, elastic searched received all event logs except one security event log. --->the log which says event log service has been shut down (Event ID 1100).
The idea was to test and notify us immediately if the event log service is stopped manually. But the specific security log is not taken up by elasticsearch.