More Windows Event logs than what I need

Hey all,

we had requests to start gathering windows event logs for graylog and would appreciate if anyone could put me in the right track since as of now we hadnt bothered with windows logs yet.

I want to get only a certain types of logs. Event ID 4624 for example. the input logon event in the collector config is: [{‘name’:‘Security’, ‘event_ID’:‘4624’}]

The problem is that this gets all sorts of event ID’s, all Security, but way more than just the 4624 ID that I want.

I could drop those messages with a pipeline rule easily enough but I’d rather learn if there is a way to control that through the collector config. Otherwise if I were to need three or four different IDs that happen to be on different areas of the event names, I dont end up pulling ALL the events into graylog

Thanks,
Stephen

You can configure Winlogbeat to only forward a specific set of Windows Events:

• https://www.elastic.co/guide/en/beats/winlogbeat/5.5/configuration-winlogbeat-options.html#_event_logs
• https://www.elastic.co/guide/en/beats/winlogbeat/5.5/configuration-winlogbeat-options.html#_event_logs_event_id
• https://www.elastic.co/guide/en/beats/winlogbeat/5.5/configuration-processors.html

Thanks, I’ll take a look at those

Thanks @jochen

So the answer is to use the snippets for a more granular configuration

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.