Skip to content

Instantly share code, notes, and snippets.

@duzvik

duzvik/w.yml

Created November 5, 2024 14:25
Show Gist options
  • Save duzvik/fd4ea7a6ff5226d8864959f6069d6c14 to your computer and use it in GitHub Desktop.
Save duzvik/fd4ea7a6ff5226d8864959f6069d6c14 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
w.yml
winlogbeat.event_logs:
- name: Application
ignore_older: 240m
- name: Security
ignore_older: 240m
- name: System
ignore_older: 240m
- name: Microsoft-windows-sysmon/operational
ignore_older: 240m
- name: Microsoft-windows-PowerShell/Operational
ignore_older: 240m
event_id: 4103, 4104
- name: Windows PowerShell
event_id: 400,600
ignore_older: 240m
- name: Microsoft-Windows-WMI-Activity/Operational
event_id: 5857,5858,5859,5860,5861
output.kafka:
hosts: ["IPADDRESS:9092"]
topic: "winlogbeat"
max_retries: 2
max_message_bytes: 1000000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment