How do I configure Winlogbeat to only read new data? I'm adding my DC's to our SIEM, and it's reading all of the audit data on the box. Taking a lot to process it. I'd like to avoid this issue as I add new servers. TIA.
Did you configure the
ignore_older option? What does your config looks like?
With ignore_older you can tell winlogbeat to ignore logs that are older than the specified time.
winlogbeat.event_logs: - name: Application ignore_older: 2h
This will ignore anything from the Application event log type that are older than 2 hours.
AHA! Thank you sir. I believe that's what I'm looking for.