How do I configure Winlogbeat to only read new data? I'm adding my DC's to our SIEM, and it's reading all of the audit data on the box. Taking a lot to process it. I'd like to avoid this issue as I add new servers. TIA.
Did you configure the ignore_older option? What does your config looks like?
With ignore_older you can tell winlogbeat to ignore logs that are older than the specified time.
For example:
winlogbeat.event_logs:
- name: Application
ignore_older: 2h
This will ignore anything from the Application event log type that are older than 2 hours.
AHA! Thank you sir. I believe that's what I'm looking for.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.