New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Winlogbeat - Select events by level, event_id, and provider #1218

Merged
merged 3 commits into from Mar 29, 2016

Conversation

Projects
None yet
3 participants
@andrewkroh
Member

andrewkroh commented Mar 23, 2016

This PR adds the ability to do select specific events from a single log. This is implemented using an event log query.

Sample Winlogbeat Config:

winlogbeat:
  event_logs:
    - name: Security
      include_xml: true
      level: info
      event_id: 4624, 4625, 4648, 4735, 4728, 4732, 4756, 4740
      provider:
        - Microsoft-Windows-Security-Auditing

XPath Query Used by Winlogbeat:

<QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or 
                  EventID=4648 or EventID=4735 or EventID=4728 or EventID=4732 or 
                  EventID=4756 or EventID=4740) and (Level = 0 or Level = 4) and 
                  Provider[@Name='Microsoft-Windows-Security-Auditing']]]
    </Select>
  </Query>
</QueryList> 
@@ -18,7 +18,6 @@ env:
- TARGETS="-C libbeat testsuite"
- TARGETS="-C topbeat testsuite"
- TARGETS="-C filebeat testsuite"
- TARGETS="-C winlogbeat testsuite"

This comment has been minimized.

@ruflin

ruflin Mar 24, 2016

Collaborator

Is there a reason to completely remove it?

@ruflin

ruflin Mar 24, 2016

Collaborator

Is there a reason to completely remove it?

This comment has been minimized.

@andrewkroh

andrewkroh Mar 24, 2016

Member

The system tests are all (now) skipped unless the OS is windows so I want it removed to use less Travis resources.

@andrewkroh

andrewkroh Mar 24, 2016

Member

The system tests are all (now) skipped unless the OS is windows so I want it removed to use less Travis resources.

@ruflin

This comment has been minimized.

Show comment
Hide comment
@ruflin

ruflin Mar 24, 2016

Collaborator

Doesn't this require also an updates to beat.yml ?

Collaborator

ruflin commented Mar 24, 2016

Doesn't this require also an updates to beat.yml ?

@andrewkroh

This comment has been minimized.

Show comment
Hide comment
@andrewkroh

andrewkroh Mar 24, 2016

Member

Yeah, I should update beat.yml with the new options. 👍 Will do.

Member

andrewkroh commented Mar 24, 2016

Yeah, I should update beat.yml with the new options. 👍 Will do.

@andrewkroh

This comment has been minimized.

Show comment
Hide comment
@andrewkroh

andrewkroh Mar 24, 2016

Member

I updated the config file to include a mention of all the configuration options and added a link to the documentation.

Member

andrewkroh commented Mar 24, 2016

I updated the config file to include a mention of all the configuration options and added a link to the documentation.

andrewkroh added some commits Mar 23, 2016

Add documentation of the event log query options
Add documentation of the include_xml option
Add new FAQ question
Format lines that extended beyond 80 characters
Add query by event ID, level, provider, and age (time)
Use ucfg to unpack eventlog API config
All system tests now require Windows.
Add ignore_older filtering to eventlogging API since it is not provided by Windows
Change expected time.ParseDuration error message due to ucfg change
@tsg

This comment has been minimized.

Show comment
Hide comment
@tsg

tsg Mar 29, 2016

Collaborator

LGTM, merging.

Collaborator

tsg commented Mar 29, 2016

LGTM, merging.

@tsg tsg merged commit cef0177 into elastic:master Mar 29, 2016

4 checks passed

CLA Commit author has signed the CLA
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
default Merged build finished.
Details

@andrewkroh andrewkroh deleted the andrewkroh:feature/wlb-query-filters branch Mar 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment