Elastic Integration - Looking for a way to ingest custom Windows Event Logs

[ocarey1327]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

500

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Currently SO doesn't have support for the Custom Windows Event Logs integrations.

Until this is supported, is there anyway I can ingest a couple of custom Event Viewer logs? Mainly the terminal server related ones. I can see that the Custom Logs integration is supported. But I'm struggling with the config

Any help is greatly appreciated

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[ocarey1327]

I know we can do this with winlogbeat... but it's not listed under our SOC console under Downloads. Only the Elastic Agent is.

I understand that the Elastic Agent is better in most cases, but can we still use winlogbeat for edge cases like this?

[ocarey1327]

Disregard this post!

Custom Windows Event Logs integration is present in 2.40.50