The boss set the task to configure logging of events of deletion, creation, modification and files on the file server.
The ELK server is set up, it's time to install winlogbeeat on the file server and configure the transfer of the necessary events. Made configure winlogbeat, events are sent to the server ELK, but the events of too much and too much junk. I picked a few event_id, set up fee only them, but the events still a lot to have found out some required parameters event_data.AccessMask that I need. I'm trying to set up filtering by the event_data parameter.Access Mask unfortunately does not work filtering. Help please
winlogbeat.event log: - name: security event code: 4656, 4663
you need to filter all event_data.Access Mask other than as below.