Winlogbeat configuration - exact selection

Elastic Stack Beats
1

Hello :slight_smile: Hope someone could help me :wink:

I want to collect ALL events of level Critical, Error and Warning + from level Information JUST events id 1074, 6005, 6006, 6008. (Due to monitoring restart/shutdown of servers).
How to configure it? :thinking:
I tried this, but it did not work :

- name: System
     ignore_older: 10h
     level: critical, error, warning
     level: information
     event_id: 1074, 6005, 6006, 6008

I received only Information events id 1074, 6005, 6006, 6008 but NO events of Critical, Error and Warning level :frowning:

2

@RRadim I'm not 100% on this, but I believe the issue is that you have two entries for level. When the YAML is being parsed, it is probably overwriting itself with information thus you are only getting information level events.

Assuming you do want information as well, try this instead:

- name: System
     ignore_older: 10h
     level: information, critical, error, warning
     event_id: 1074, 6005, 6006, 6008
3

Unfortunately, it doesn't work :frowning:
NO critical, error or warning level events .... only information level events 1074, 6005, 6006, 6008.

Any other idea? Maybe using of ''processors'' ... but I have no experience with them.

4

Hello,

Firstly, make sure the events you want have different levels : info, error etc...
Probably your events generate only with informational level - and it's a case I see a lot.
Please have a check in your event viewer directly on your machine to analyze that point first.

Secondly, you can just drop the 'level' section in your conf if you want everything.

Regards
Luc

5
  1. Yes, there is a lot of SYSTEM events with ERROR or WARNING level.
  2. No, I do not want collect/monitor everything! I do not want events with INFORMATION level (except event_id: 1074, 6005, 6006, 6008 )
6

Hello,

  1. My point is that for events you mentioned 1074, 6005, 6006 and 6008, the level 'can' be always information in the event viewer.

  2. If you remove the level section in the config file AND you have configured 4 event_id ; you will send ONLY these 4 event_id whatever the level type.

Regards,
Luc

7

Thank you for your contributions, but I haven't moved anywhere yet :frowning:
Does anyone have any working configuration code for my problem?

8

Hello,

Based on what I understand, you want only the 4 events Id's ( 1074, 6005, 6006, 6008) right ?
And these 4 events exist with different 'level'.

You can try this :

- name: System
     ignore_older: 10h
     event_id: 1074,6005,6006,6008

As I told, you need to analyze first if you have different level for the mentioned events in your event viewer.
Maybe I misunderstand what you're looking for...

9

Sorry, I read again your inital post, and I totally misread at first.
You can try this :

- name: System
     ignore_older: 10h
     level: information
     event_id: 1074,6005,6006,6008
- name: System
     ignore_older: 10h
     level: critical, error, warning

Edit : we can use a drop_event processor if needed. If it works, then we can do some tweaks.

10

Yes! It works! You're great :slight_smile:
And for interest : How would you handle it with a processor ? :wink:

11

Maybe something like this could work for your case :

- name: System
  ignore_older: 10h
  processors:
     - drop_event.when:
       - and:
         - equals.log.level: 'information'
         - not.equals.winlog.event_id: 1074,6005,6006,6008

Which means : we drop all events with information level - except from the 4 events.
Note : I didn't test it ... so maybe it's not working, but the logic is here.

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.