Winlogbeat not capturing specific event id's in windows server 2012

r.ganeshbabu · June 5, 2018, 7:05am

Hi All,

I have installed winlogbeat 5.6.5 version in the windows server 2012 machine and to capture only specific event id's from the machine, I have given the event id's in the winlogbeat.yml file

winlogbeat.event_logs:
  - name: Security
    event_id: 4612, 4625, 4648, 4672, 4673, 4719, 4720, 4723, 4738, 4740, 4742

But I am receiving the other event id's with respect to security log name and below is the list,
5156, 5145, 4658, 4661, 4634, 4624, 5158 etc..

I have read this documentation and in that it mentioned like this option is only available on supporting the windows log event API.

Does the windows server 2012 operating system doesn't support this feature?

Please let me your thoughts it would be very helpful.

Thanks,
Ganeshbabu R

adrisr · June 5, 2018, 8:56am

I have tested it using Winlogbeat 5.6.9 and the configuration you provided, under Windows server 2012 and it is working as intended, with only those event_ids being reported.

I don't see any entry in the changelog related to this, but it wouldn't hurt to upgrade to 5.6.9.

If the problem still persist, can you share a DEBUG log?

r.ganeshbabu · June 5, 2018, 7:17pm

Hi @adrisr

Sorry its my mistake and after your response I rechecked the event data and I found that the other event id's are older ones.

Thanks for your response.

Regards,
Ganeshbabu R

system · July 3, 2018, 7:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.