Drop events using the sidecar collector

gsmith · March 24, 2022, 11:53pm

Hello && Welcome @maiconjs

Perhaps this post may help

Sidecar configuration to filter event data for SubjectUserName - Windows - #5 by quinniedid

Or some type of configuration like this.

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    event_id: 4625, 4626

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

Topic		Replies	Views
Graylog Sidecar Winlogbeat Drop Event New to Graylog Community? READ-ME FIRST Guides sidecar , windows , winlogbeat	2	257	June 8, 2024
Drop event_id how to Graylog Central (peer support) sidecar , winlogbeat	9	8523	March 22, 2018
Help with Winlogbeat config Graylog Central (peer support) sidecar , winlogbeat	3	3701	December 16, 2019
Sidecar configuration to filter event data for SubjectUserName - Windows Graylog Central (peer support) sidecar , winlogbeat	5	1738	August 4, 2021
Winlogbeat "publishes" fine but specific events aren't seen in Graylog Graylog Central (peer support) sidecar , winlogbeat	1	1055	April 13, 2021

Drop events using the sidecar collector

Related topics