Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

winlogbeat/docs: improve event_logs.name docs #34931

Merged
merged 1 commit into from
Mar 28, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
- Fix race condition when stopping runners {pull}32433[32433]
- Fix concurrent map writes when system/process code called from reporter code {pull}32491[32491]
- Fix panics when a processor is closed twice {pull}34647[34647]
- Update elastic-agent-system-metrics to v0.4.6 to allow builds on mips platforms. {pull}[]
- Update elastic-agent-system-metrics to v0.4.6 to allow builds on mips platforms. {pull}34931[34931]

*Auditbeat*

Expand Down Expand Up @@ -169,6 +169,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
- Fix handling of event data with keys containing dots. {issue}34345[34345] {pull}34549[34549]
- Gracefully handle channel not found errors. {issue}30201[30201] {pull}34605[34605]
- Clarify query term limits warning and remove link to missing Microsoft doc page. {pull}34715[34715]
- Improve documentation for event_logs.name configuration. {pull}[]

*Functionbeat*

Expand Down
47 changes: 24 additions & 23 deletions winlogbeat/docs/winlogbeat-options.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -112,29 +112,12 @@ reading additional event log records.
==== `event_logs.name`

The name of the event log to monitor. Each dictionary under `event_logs` must
have a `name` field, except for those which use a custom XML query. You can
get a list of available event logs by running `Get-EventLog *` in PowerShell.
Here is a sample of the output from the command:

[source,sh]
--------------------------------------------------------------------------------
PS C:\Users\vagrant> Get-EventLog *

Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
20,480 0 OverwriteAsNeeded 75 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
20,480 0 OverwriteAsNeeded 1,609 Security
20,480 0 OverwriteAsNeeded 1,184 System
15,360 0 OverwriteAsNeeded 464 Windows PowerShell
--------------------------------------------------------------------------------

Channel names can also be specified if running on Windows Vista or newer. A
channel is a named stream of events that transports events from an event source
to an event log. Most channels are tied to specific event publishers. Here is an
example showing how to list all channels using PowerShell.
have a `name` field, except for those which use a custom XML query.
A channel is a named stream of events that transports events from an event
source to an event log. Most channels are tied to specific event publishers.
You can get a list of available event logs by using the PowerShell
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent[`Get-WinEvent`] cmdlet
on Windows Vista or newer. Here is a sample of the output from the command:

[source,sh]
--------------------------------------------------------------------------------
Expand All @@ -154,6 +137,24 @@ LogName : Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
...
--------------------------------------------------------------------------------

If `Get-WinEvent` is not available, the https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog[`Get-EventLog`] cmdlet can be used in its
place.

[source,sh]
--------------------------------------------------------------------------------
PS C:\Users\vagrant> Get-EventLog *

Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
20,480 0 OverwriteAsNeeded 75 Application
20,480 0 OverwriteAsNeeded 0 HardwareEvents
512 7 OverwriteOlder 0 Internet Explorer
20,480 0 OverwriteAsNeeded 0 Key Management Service
20,480 0 OverwriteAsNeeded 1,609 Security
20,480 0 OverwriteAsNeeded 1,184 System
15,360 0 OverwriteAsNeeded 464 Windows PowerShell
--------------------------------------------------------------------------------

You must specify the full name of the channel in the configuration file.

[source,yaml]
Expand Down