Winlogbeat.event_logs not working properly

Hello guys,

I'm testing a setup atm where Winlogbeat sends Windows events logs to Graylog server.

I wanted to limit the number of events Winlogbeat is collecting, so I tried to use winlogbeat.event_logs.

Here is my winlogbeat.yml file:

fields:
  collector_node_id: graylog-collector-sidecar
  gl2_source_collector: 5b5a24c2-71b7-44ce-8310-e2d99f33b5bb

output:
  logstash:
    hosts:
    - 10.1.10.30:5044

path:
  data: C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data
  logs: C:\Program Files\graylog\collector-sidecar\logs

tags:
- windows

winlogbeat.event_logs:
  - name: Application
    level: critical, error, warning
  - name: System
    level: critical, error, warning
  - name: Security
    level: critical, error, warning

Unfortunately, I don't notice any difference in the number of events.

Can you please help me out? Thanks in advance!!

Could you please format you config using </>? Also could you please share debug logs?

Hello Noémi,

thanks for your quick answer.

Sorry but I m a real newbie when it comes to Winlogbeat. I just started tests yesterday.

If by debug logs you mean the ones stored in:

C:\Program Files\Graylog\collector-sidecar\logs

Here they are.

Based on your logs filtering conditions are passed to Winlogbeat correctly. You might need to filter out more events, if you would like to decrease the number of events further.

You could also filter based on event IDs. This could limit the unwanted events number. https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html#_literal_event_logs_event_id_literal

It's weird because I still see mostly messages that are tagged as "information". When I check my event history I don't see any decrease in the events amount. Is there any other way to test Winlogbeat outside the Graylog environment?

I have found the issue. Apparently Graylog overwrittes any conf changes if they are not done through its interface.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.