Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Winlogbeat - Select events by level, event_id, and provider #1218

Merged
merged 3 commits into from
Mar 29, 2016

Conversation

andrewkroh
Copy link
Member

This PR adds the ability to do select specific events from a single log. This is implemented using an event log query.

Sample Winlogbeat Config:

winlogbeat:
  event_logs:
    - name: Security
      include_xml: true
      level: info
      event_id: 4624, 4625, 4648, 4735, 4728, 4732, 4756, 4740
      provider:
        - Microsoft-Windows-Security-Auditing

XPath Query Used by Winlogbeat:

<QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or 
                  EventID=4648 or EventID=4735 or EventID=4728 or EventID=4732 or 
                  EventID=4756 or EventID=4740) and (Level = 0 or Level = 4) and 
                  Provider[@Name='Microsoft-Windows-Security-Auditing']]]
    </Select>
  </Query>
</QueryList> 

@@ -18,7 +18,6 @@ env:
- TARGETS="-C libbeat testsuite"
- TARGETS="-C topbeat testsuite"
- TARGETS="-C filebeat testsuite"
- TARGETS="-C winlogbeat testsuite"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to completely remove it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The system tests are all (now) skipped unless the OS is windows so I want it removed to use less Travis resources.

@ruflin
Copy link
Contributor

ruflin commented Mar 24, 2016

Doesn't this require also an updates to beat.yml ?

@andrewkroh
Copy link
Member Author

Yeah, I should update beat.yml with the new options. 👍 Will do.

@andrewkroh andrewkroh force-pushed the feature/wlb-query-filters branch from cf7258c to 7dd3926 Compare March 24, 2016 16:19
@andrewkroh
Copy link
Member Author

I updated the config file to include a mention of all the configuration options and added a link to the documentation.

@andrewkroh andrewkroh force-pushed the feature/wlb-query-filters branch 2 times, most recently from 8fdc19c to 42f1249 Compare March 25, 2016 00:44
Add documentation of the include_xml option
Add new FAQ question
Format lines that extended beyond 80 characters
@andrewkroh andrewkroh force-pushed the feature/wlb-query-filters branch from 42f1249 to eac9894 Compare March 28, 2016 16:04
Use ucfg to unpack eventlog API config
All system tests now require Windows.
Add ignore_older filtering to eventlogging API since it is not provided by Windows
Change expected time.ParseDuration error message due to ucfg change
@andrewkroh andrewkroh force-pushed the feature/wlb-query-filters branch from eac9894 to 10da1ce Compare March 28, 2016 18:29
@tsg
Copy link
Contributor

tsg commented Mar 29, 2016

LGTM, merging.

@tsg tsg merged commit cef0177 into elastic:master Mar 29, 2016
@andrewkroh andrewkroh deleted the feature/wlb-query-filters branch March 30, 2016 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants