Specific Windows Event Logs (Non Standard)

Hi Guys

We are successfully collecting logs from Standard Windows Event Logs such as Application, and System. On A windows Host, you find these logs listed under “Windows Logs”, in the event Viewer.

In Event Viewer, you can expand Applications and Services Logs, then Expand Microsoft, Expand Windows, and you find a hole raft of Specific logs …

If I wanted to Log messages from TerminalServices-LocalSessionManager > Operational Log … Is that possible?

What I’ve tried and hasn’t worked is. On the windows machine, I can see the event log lives under %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx. The same location as the System and Application Logs. So I defined a Beats Input to collect events from a log called Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational, but that isn’t collecting the messages …

Any idea ?

Thanks

Did you look at this blog post?

https://www.graylog.org/blog/83-back-to-basics-enhance-windows-security-with-sysmon-and-graylog

This might help you

Thank you! I will give it a go.

Looks like I need something along the lines of : [{‘name’:‘Microsoft-Windows-Sysmon/Operational’}]

Have a look at the winlogbeat configuration reference about elasticsearch: