Powershell template for Winlogbeat

[ChristopherKB]

What?

A suggestion came from the community to add a sample winlogbeat template for Powershell to go along with the other templates we provide.

Why?

Agent templates make adding new log sources easier and reduce support requests both in the community and in commercial support channels. The more sample configurations available, the better. Customer submitted this configuration as a possible starting point.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog_server_name:5044"]

path.data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
path.logs: C:\Program Files\Graylog\sidecar\logs
path.module: C:\Program Files\Graylog\sidecar\module
 
winlogbeat.event_logs:

#PowerShell
   - name: Windows PowerShell
     event_id: 400, 403, 600, 800
     ignore_older: 48h
     processors:
      - script:
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js
     
   - name: Microsoft-Windows-PowerShell/Operational
     event_id: 4100, 4103, 4104, 4105, 4106
     ignore_older: 48h
     processors:
      - script:
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

Your Environment

• Graylog Version:
• OpenSearch Version:
• MongoDB Version:
• Operating System:
• Browser version: