I have created new configuration in graylog and in which I configured winlobeat in input & output and also I tried creating snippet for winlogbeat to allow only specific event id’s for “security” log name.
Below is the syntax I used from this URL,
winlogbeat.event_logs: - name: Security event_id: 4624, 4625, 4700-4800, -4735
When I started the collector sidecar the configuration changes were applied to the generated winlogbeat.yml and below are changes in the yml file,
Also I tried changing the syntax in snippet as given below,
winlogbeat: event_logs: - name: Security event_id: 4670, 4688
After saved, the changes were reflected in generated winlogbeat.yml file,
Please kindly share your thoughts and correct me if I am doing anything wrong it would be helpful.