Elasticsearch / ELK: winlogbeat configuration for Direct Access

Which logs to collect?

To troubleshoot Direct Access and collect the important logs, you could use the following winlogbeat-Configuration

winlogbeat.event_logs:
- name: Security
- name: Microsoft-Windows-Iphlpsvc/Operational
- name: Microsoft-Windows-Base-Filtering-Engine-Connections/Operational processors:
    rename: fields:
         from: "winlog.event_data.RemoteIPAddress"
         to: "winlog.event_data.RemoteIP"
         ignore_missing: true
         fail_on_error: false
- name: Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
- name: Microsoft-Windows-WinNat/Oper

Leave a Reply

Your email address will not be published. Required fields are marked *