Hi,
How do you set which event logs are collection in the winlogbeat.yml config file. I have some event logs for Hyper-V that are Application And Service Logs and are not in the windows logs section of the event viewer?
e.g. event log: Applications and service logs\microsoft\windows\Hyper-V-VMMS
thanks in advance.
You add a new item to the winlogbeat.event_logs list. See https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html#configuration-winlogbeat-options-event_logs-name.
winlogbeat.event_logs:
- name: '<Name of the event log>'
Done that mate but cannot get any events for those in the Application and Service logs. Hard to describe without pictures 
My config:
ignore_older: 72h
- name: Security
event_id: -4776
- name: System
- name: Hyper-V-High_Availabilty
- name: Hyper-V-VMMS
- name: Hyper-V-Hypervisor
So you ran the command listed in the docs to get the event log names?
PS C:\> Get-WinEvent -ListLog * | Format-List -Property LogName
I think you can make it Get-WinEvent -ListLog * | Format-List -Property LogName | Select-String -Pattern "Hyper-V" to filter. Please share the command's output.
Ah forgot about that 
Would that cover all sub folder items also as Hyper-V has a bunch of folders within the root hyper-v.
Thanks,
Each channel must be individually declared in the winlogbeat.event_logs list in order for it to be read.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.