Skip to main content

Introduction


Revision History​

DateAuthorSummary
18-JUN-2022TSgt. BernadotteInitial draft
12-DEC-2022TSgt. BernadotteReformatted
19-MAR-2026CW2 BernadotteConverted to markdown; restructured; added channel reference and tuning guidance

Purpose​

The purpose of this aid is to provide operators with the knowledge necessary to tune the Winlogbeat configuration (winlogbeat.yml) to collect the right Windows event logs β€” including which channels to monitor, which event IDs to include or exclude, and how to configure output to the DIP Logstash pipeline.


End-State​

  • Operators can read and modify winlogbeat.yml to add, remove, or filter Windows event log channels.
  • Operators understand the key configuration options (name, ignore_older, event_id, provider, tags, processors) and can apply them appropriately.
  • Operators can configure the Logstash output to correctly target the DIP External IP.
  • Operators understand the rationale behind the 262COS/DOK base config event channel and event ID selections.

Requirements​

  1. Access to the winlogbeat.yml configuration file:
    • Pre-deployment: /opt/tfplenum/agent_pkgs/winlogbeat/templates/winlogbeat.yml on the DIP Controller (master config used by TFPlenum agent deployer).
    • Post-deployment: C:\Program Files\Winlogbeat\winlogbeat.yml on the deployed host.
  2. DIP External IP address for output configuration.
  3. A text editor with YAML syntax support. (YAML is whitespace-sensitive β€” use spaces, not tabs.)

Considerations​

  • Tune before deployment when possible. Identify the environment's logging baseline (existing EDR, SIEM, log volume) and adjust channels and event IDs before pushing the config.
  • The TFPlenum master config at /opt/tfplenum/agent_pkgs/winlogbeat/templates/winlogbeat.yml is what gets deployed to hosts. Modifying it on the controller affects all future deployments β€” always test changes on a single host first.
  • Post-deployment changes to C:\Program Files\Winlogbeat\winlogbeat.yml require a Winlogbeat service restart to take effect. This can be done at scale using 262COS-CVAH_Agent_Deployer-SCRIPT-001 IAW 262COS-HA-SOP-002.
  • The 262COS config omits SSL certificate file references (ca.crt, tls.crt, tls.key) intentionally β€” if the DIP is rebuilt, certificates are regenerated and agents pinned to old cert files will fail to reconnect. Use ssl.verification_mode: "none" instead.
  • Event ID limit: Windows limits event log queries to 22 conditions. If more than 22 event IDs need filtering, use a drop_event processor instead of the event_id option.
  • ignore_older: Always set ignore_older on high-volume channels. Without it, Winlogbeat will attempt to collect all historical events on first deployment, which can overwhelm the Logstash pipeline.