Input Configuration
The winlogbeat.event_logs section of winlogbeat.yml controls which Windows event log channels are collected, how far back Winlogbeat reads historical events, and which event IDs are included or excluded.
winlogbeat.event_logs:
- name: Security
ignore_older: 168h
event_id: -4703
name β Channel to Monitorβ
Required. The full name of the Windows event log channel to collect from. Use the exact channel name as it appears in Event Viewer.
winlogbeat.event_logs:
- name: Application
- name: System
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Microsoft-Windows-PowerShell/Operational
- name: "Windows PowerShell"
In Event Viewer, right-click a log and select Properties β the full channel name is shown in the Full Name field. Channel names containing spaces must be quoted in YAML.
To collect events from a saved .evtx file, provide the absolute path as the name value:
- name: C:\Investigations\collected_security.evtx
ignore_older β Historical Event Limitβ
Filters out events older than the specified duration. Valid units: ns, us, ms, s, m, h.
- name: Security
ignore_older: 168h # Only collect events from the last 7 days
ignore_older on High-Volume ChannelsWithout ignore_older, Winlogbeat will attempt to ship all historical events when first deployed. On a host with years of Security or System logs, this can flood the Logstash pipeline and delay real-time event collection for the entire mission. Setting 168h (7 days) is the 262COS default.
event_id β Include/Exclude Specific Event IDsβ
Whitelist or blacklist specific event IDs within a channel. Values are comma-separated and support:
- Single ID to include:
4624 - Range to include:
4700-4800 - Single ID to exclude (prefix with
-):-4703
# Only collect specific BITS events
- name: Microsoft-Windows-Bits-Client/Operational
event_id: 3,4,59,60
# Collect all PowerShell events except known noise IDs
- name: Microsoft-Windows-PowerShell/Operational
event_id: -8193,-8194,-8195,-8196,-8197,-12039
Windows limits event log queries to 22 conditions. If more than 22 event IDs need filtering, use a drop_event processor instead:
- name: Security
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: 4624
- equals.winlog.event_id: 4625
- equals.winlog.event_id: 4648
# ... add as many as needed, no limit
This filter is applied after Winlogbeat receives events from Windows, so it bypasses the 22-condition Windows API restriction.
provider β Filter by Event Sourceβ
Filters events by provider (source name) within a channel. Useful when a channel aggregates events from multiple sources and only specific sources are relevant.
- name: Application
provider:
- Application Error
- Application Hang
- Windows Error Reporting
- EMET
tags β Label Events for Downstream Filteringβ
Adds custom tags to all events collected from a channel. Tags are appended to the tags field in the forwarded event and can be used for filtering in Kibana or Logstash.
- name: ForwardedEvents
tags: [forwarded]
The forwarded tag is used by the add_host_metadata processor to skip adding local host metadata to events that originated on a different host (Windows Event Forwarding scenarios).
processors β Per-Channel Processingβ
Processors apply transformations or filtering logic to events from a specific channel before they are forwarded. The most common use in the 262COS config is running the Winlogbeat JavaScript modules for Security and Sysmon enrichment.
- name: Security
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
These JavaScript modules normalize and enrich event fields to align with the Elastic Common Schema (ECS), making events easier to parse and correlate in Kibana.