Winlogbeat ForwardedEvents channels filtering

Hi,

we have servers forwarding various log channels (System, Security, Powershell..., Defender..) to WEC server via standard WEF service. Installed Winlogbeat on WEC server to forward those logs to ELK. However, we want to store lot of not really necessary logs on WEC (from lot of channels) and only forward some channels and some eventIDs to ELK. WEC subscription is at the moment configured to ingest all logs and put them to "Forwarded Events" folder.

Lets say i wanna forward via winlogbeat from that "Forwarded Events" folder all ingested "Security" channel events 4624 and 4625, and also all events from "Microsoft-Windows-Windows Defender/Operational" channel. I know i can specify exact eventIDs, but is it also possible to specify these channels that are stored in Forwarded Events? Or for my use case, only thing i can do is to configure separate Subscription outputs on WEC (storing channels separately e.g. "Forwarded Events - Defender") and specify and filter them in winlogbeat config?

Thanks. Much love.

I would try setting up the exact query you want using the xml_query option. Try the Custom View wizard in the Windows Event Viewer to craft the XML.

It may also be advantageous for performance reasons to split the query across separate readers. Like

winlogbeat.event_logs:
  - id: forwarded-windows-defender
    forwarded: true
    xml_query: >
      <QueryList>...
      </QueryList>

  - id: forwarded-security
    forwarded: true
    xml_query: >
      <QueryList>...
      </QueryList>

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.