I'm using winlogbeat-6.5.3-windows-x86_64 version on my desktop PC.
I have setup my pc logging Object Access and winlogbeat works well.
When I remove my test.txt file on my PC, Event ID 4660, 4663, and 4658 was generated on PC, and I can see them on Event Log Viewer.
The Event ID 4658 is sent to EleasticSearch successfully and I can search it on Kibana.
But Event ID 4660, 4663 is not found on Kibana.
I have checked winlogbeat log file but there is nothing related to errors.
I'm still don't know what's wrong with.
---- winlogbeat.yml ----
winlogbeat.event_logs:
-
name: Security
ignore_older: 72h -
name: Application
ignore_older: 72h -
name: System
ignore_older: 72h -
name: "Microsoft-Windows-Sysmon/Operational"
ignore_older: 72h -
name: "Microsoft-Windows-WindowsUpdateClient/Operational"
---- logstash.conf ----
output {
if [type] == "wineventlog" {
elasticsearch {
hosts => ["http://192.168.0.11:9200"]
index => "test_index"
}
}
}