How does winlogbeat works exactly, in short?
Like what parameters or depending on what conditions or in any specific intervals, data is shipped from client to ELK server?
As in filebeat, there is scan_frequency which is one of the conditions to ship to data.
Filebeat is mostly used to watch files on disk, this is why you have the
scan_frequency which is used to determinate when we will look for new files on disk.
In the case of Winlogbeat, it uses Window Event log API and it subscribe to specific channel and will receive events from them. You can use the Event log viewer to have a view of the possible channel that you can register.
Concerning the frequency of sending events to Elasticsearch it's dependent of two options, either we hit a timeout and we flush events to ES or we reach the batch size defined in the elasticsearch output.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.