Winlogbeat.yml should specify the "api" attribute is available


After two days of attempting to change the code of Winlogbeat to access the logs of a remote SAN integrating the Windows Event Log API, I realized that the SAN was using the old "eventlogging" API.

While trying to integrate the old "eventlogging" API, I found out that in the "winlogbeat/eventlog/factory.go" file, there are keys to specify which API you want to use: "eventlog" and "eventlogging", which are the old API and the "new" API.

After adding that in "winlogbeat.yml", I succeeded to received the logs:

  - name: Security
    api: eventlogging

However, I had to change the code in "eventlogging.go" to add the option to use "OpenEventLog" for remote logs. I will create another topic about that.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.