Hello,
I am newbie in Kibana, Elasticsearch and rest of tools in stack.
So I'm not sure is the problem with Winlogbeat.
I have installed Winlogbeat on my servers and I am getting the logs correctly. They are visible in the Discover tab in Elasticsearch, but I don't see all the system generated logs there.
System events ID 1102 or 104 are very important to me as they indicate that the event log has been cleared, but I can't see these events in Elastic, among other things.
Below I put the contents of my winlogbeat.yml file.
########################## Winlogbeat Configuration ############################
fields:
company: TEST
environment: production
os_type: windows
# ======================== Winlogbeat specific options =========================
winlogbeat.event_logs:
- name: Application
ignore_older: 30m
- name: Security
ignore_older: 30m
- name: System
ignore_older: 30m
- name: Microsoft-windows-sysmon/operational
ignore_older: 30m
- name: Microsoft-windows-PowerShell/Operational
ignore_older: 30m
event_id: 4103, 4104
- name: Windows PowerShell
event_id: 400,600
ignore_older: 30m
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
# ====================== Elasticsearch template settings =======================
setup.template:
name: "windows"
pattern: "windows-*"
settings.index.number_of_shards: 1
# ================================== Outputs ===================================
output:
logstash:
enabled: true
hosts: ["XXX.XXX.XX.XX:5044"]
index: "windows-test-%{+yyyy.MM.dd}"
ssl:
enabled: false
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
Thanks for the help in advance 
Maciej