I'm testing a setup atm where Winlogbeat sends Windows events logs to Graylog server.
I wanted to limit the number of events Winlogbeat is collecting, so I tried to use winlogbeat.event_logs.
Here is my winlogbeat.yml file:
fields: collector_node_id: graylog-collector-sidecar gl2_source_collector: 5b5a24c2-71b7-44ce-8310-e2d99f33b5bb output: logstash: hosts: - 10.1.10.30:5044 path: data: C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data logs: C:\Program Files\graylog\collector-sidecar\logs tags: - windows winlogbeat.event_logs: - name: Application level: critical, error, warning - name: System level: critical, error, warning - name: Security level: critical, error, warning
Unfortunately, I don't notice any difference in the number of events.
Can you please help me out? Thanks in advance!!