response
Hi, I'd like to log my Microsoft Defender Events (EventID:1116) so when a malware is detected, I get it on my Graylog server.
Problem is that with Server 2016/Windows 10, the logs are too many for a simple input (with the 256 limit).
So I decided to filter some, and to only get some of them :
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Windows PowerShell">*</Select>\
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\
</Query>\
</QueryList>
I receive my App, Sys, Security, and Powershell in Graylog but not my Windows Defender events.
I tried to generate logs multiple times, with some EICAR files, the logs appear in the Event Viewer, but nothing appears in my Graylog Server.
Any help please ? :) thanks