Winlogbeat - only new logs?

How do I configure Winlogbeat to only read new data? I'm adding my DC's to our SIEM, and it's reading all of the audit data on the box. Taking a lot to process it. I'd like to avoid this issue as I add new servers. TIA.

Did you configure the ignore_older option? What does your config looks like?

With ignore_older you can tell winlogbeat to ignore logs that are older than the specified time.

For example:

  - name: Application
    ignore_older: 2h

This will ignore anything from the Application event log type that are older than 2 hours.

AHA! Thank you sir. I believe that's what I'm looking for.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.