Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Winlogbeat - Select events by level, event_id, and provider #1218

Merged
merged 3 commits into from
Mar 29, 2016
Merged

Winlogbeat - Select events by level, event_id, and provider #1218

merged 3 commits into from
Mar 29, 2016

Conversation

andrewkroh
Copy link
Member

This PR adds the ability to do select specific events from a single log. This is implemented using an event log query.

Sample Winlogbeat Config:

winlogbeat:
  event_logs:
    - name: Security
      include_xml: true
      level: info
      event_id: 4624, 4625, 4648, 4735, 4728, 4732, 4756, 4740
      provider:
        - Microsoft-Windows-Security-Auditing

XPath Query Used by Winlogbeat:

<QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or 
                  EventID=4648 or EventID=4735 or EventID=4728 or EventID=4732 or 
                  EventID=4756 or EventID=4740) and (Level = 0 or Level = 4) and 
                  Provider[@Name='Microsoft-Windows-Security-Auditing']]]
    </Select>
  </Query>
</QueryList>

This was referenced Mar 23, 2016
Closed
Closed
@andrewkroh andrewkroh force-pushed the feature/wlb-query-filters branch 3 times, most recently from 6228881 to cf7258c Compare March 24, 2016 00:06
ruflin
ruflin reviewed Mar 24, 2016
View reviewed changes
.travis.yml
@@ -18,7 +18,6 @@ env:
- TARGETS="-C libbeat testsuite"
- TARGETS="-C topbeat testsuite"
- TARGETS="-C filebeat testsuite"
- TARGETS="-C winlogbeat testsuite"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to completely remove it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The system tests are all (now) skipped unless the OS is windows so I want it removed to use less Travis resources.

@ruflin
Copy link
Member

ruflin commented Mar 24, 2016

Doesn't this require also an updates to beat.yml ?

@andrewkroh
Copy link
Member Author

Yeah, I should update beat.yml with the new options. 👍 Will do.

@andrewkroh
Copy link
Member Author

I updated the config file to include a mention of all the configuration options and added a link to the documentation.

@andrewkroh andrewkroh force-pushed the feature/wlb-query-filters branch 2 times, most recently from 8fdc19c to 42f1249 Compare March 25, 2016 00:44
@andrewkroh
Add documentation of the event log query options
663becb 
Add documentation of the include_xml option
Add new FAQ question
Format lines that extended beyond 80 characters
@andrewkroh
Add query by event ID, level, provider, and age (time)
e5565f5 
Use ucfg to unpack eventlog API config
All system tests now require Windows.
Add ignore_older filtering to eventlogging API since it is not provided by Windows
Change expected time.ParseDuration error message due to ucfg change
@andrewkroh
Remove count field from Winlogbeat
10da1ce
@tsg
Copy link
Contributor

tsg commented Mar 29, 2016

LGTM, merging.

@tsg tsg merged commit cef0177 into elastic:master Mar 29, 2016
@andrewkroh andrewkroh mentioned this pull request Mar 29, 2016
Merged
@andrewkroh andrewkroh deleted the feature/wlb-query-filters branch March 30, 2016 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement review Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @ruflin @tsg