delete all windows events from SO

[IzacFrank]

Dear all,

My all 38 servers' windows events are sent to one server and from there I forwarded them to SO with Winlogbeat. I have two issues.

I see that all local server logs are also forwarded (by mistake I forwarded them but then removed them from winlogbeat yml file and restarted the service they are still forwarded.) I like to delete all windows and sysmon events from SO. How can I do that?

I also see that some of the forwarded logs from some servers exist in Windows Event Viewer but they are not forwarded to SO. For example, I have subscriptions from 38 servers but I see only 19 of them on SO. How can I force forward all events from all servers? (Hopefully deleting all Windows events and starting from scratch will solve the issue.)

My config is like the one below.
Thank you very much in advance.

[InfosecGoon]

So, just to make sure I understand, you are using Winlogbeat on a WEF Subscription Server to send Forwarded Events into Security Onion, but only about half of the originating servers are represented?

Do they all have the same subscription settings?

When you say the forwarded logs exist in Event Viewer, do you mean on the original server or on the WEF subscription server?

[IzacFrank]

Hello @InfosecGoon
Thank you for your message.
Yes, I'm using Winlogbeat on a WEF Subscription Server to send Events into Security Onion and only half of the servers are represented (23 of 38).

Yes, they exist in the WEF subscription server. All of the servers have the same settings when forwarding events.

[InfosecGoon]

That's strange. Do the unrepresented servers have anything in common (version of Windows Server, for example)? Are the clocks properly synchronized across all the servers?

[IzacFrank]

Some are 2016 and some are 2019 servers. They are domain members and their time is the same.

Do you think I can delete Windows logs and start again? How?

Thanks again.