When a new version of winlogbeat is setup, it loads 5 pipelines with some having a lot of processors (44-93).
Looking at the logs-winlog pipelines for the agents, there are only the stubs for the optional @custom pipelines.
Where does the processing from the winlogbeat pipelines happen for agent data?
Thanks
The logs-winlog* pipelines are part of the Windows Custom Events integration, it is used for custom logs.
The processing that was done by Winlogbeat is now split between the System and the Windows integration.
For example, the Application, System and Security Event Channels are processed by the System integration, and the Powershell, AppLocker etc are processed by the Windows integration.
The consultant that built the initial configs had everything as Custom Windows Log, so none of the pipelines are being used. I need to switch to the System and Windows integrations.
Thanks
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.