I am working on the configuration to recover the domain controllers logs : It seems that winlogbeat is slower than the speed of the logs generation.
So all the Security logs going to my Elastics have one hour delay (due to the parameter “ignore_older: 1h”) and some logs are lost. The logs from other journal (system, applications, ..) arrive on time.
I use version 6.2.4 but I also have the problem with the latest version (6.5.4).
After my filter, I’ve made some processing to filter these logs and remove the noise, but it seems to have no link with this delay : What could be the cause of my problem?
Here is my configuration :
name: Security
batch_read_size: 512
ignore_older: 1h
event_id: 1100-1102,4608-4662,4667,4672-4675,4688-4693,4697-4713,4719-4742,4754-4758,4764-4769,4771-4780
output.kafka:
enabled: true
topic: windows_ad
compression: snappy
retry.backoff: 5s
bulk_max_size: 2048
Do you guys have the same issues ? How can I solve it ?
Regards,