Which logs to collect?
To troubleshoot Direct Access and collect the important logs, you could use the following winlogbeat-Configuration
winlogbeat.event_logs:
- name: Security
- name: Microsoft-Windows-Iphlpsvc/Operational
- name: Microsoft-Windows-Base-Filtering-Engine-Connections/Operational processors:
rename: fields:
from: "winlog.event_data.RemoteIPAddress"
to: "winlog.event_data.RemoteIP"
ignore_missing: true
fail_on_error: false
- name: Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
- name: Microsoft-Windows-WinNat/Oper