Update winlogbeat-options.asciidoc #2919
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -149,6 +149,24 @@ winlogbeat.event_logs: | |
| event_id: 4624, 4625, 4700-4800, -4735 | ||
| -------------------------------------------------------------------------------- | ||
|
|
||
| [WARNING] | ||
| ======================================= | ||
| There is a limit on the query depth to prevent the possibility of a stack overflow from deep recursive queries. This limit is actually set to 22 filters. | ||
|
There was a problem hiding this comment. We need to avoid repeating content from other websites verbatim (the content is likely copyrighted). This sentence is taken directly from the Microsoft website: "There is a limit on the query depth to prevent the possibility of a stack overflow from deep recursive queries." It would be better anyhow to state this limitation in terms of what the user specifies in the Winlogbeat config. How about something like this: You can specify up to 22 event IDs. Specifying more than 22 event IDs may produce deep recursive queries that could result in a stack overflow. For more information, see https://support.microsoft.com/en-us/kb/970453. I didn't suggest edits to the text about the workaround because it sounds like you are still discussing the best approach to solving this issue. |
||
|
|
||
| More than 22 event id's should be handled with multiple monitors to the same name: | ||
|
|
||
|
|
||
| -------------------------------------------------------------------------------- | ||
|
There was a problem hiding this comment. you can add |
||
| winlogbeat.event_logs: | ||
|
There was a problem hiding this comment. I investigated automatically splitting up the event IDs across two queries. It gets complicated due to the interactions with the suppress filters (e.g. -1, -2). I think we should wait until #1491 (comment) is implemented and in the meantime use the I don't want to recommend creating duplicate |
||
| - name: Security | ||
| event_id: 4624, 4625, 4700-4800, -4735 .... | ||
| - name: Security | ||
| event_id: 4624, 4625, 4700-4800, -4735 .... | ||
| -------------------------------------------------------------------------------- | ||
|
|
||
| For more information around this, please visit https://support.microsoft.com/en-us/kb/970453. | ||
| ======================================= | ||
|
|
||
|
|
||
| ===== event_logs.level | ||
|
|
||
| A list of event levels to include. The value is a comma-separated list of | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not the usual way to create warnings, but it might be difficult in this case because you have code section in it. I'll wait for @dedemorton to suggest something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is valid asciidoc tagging. You could add
[source,yaml]above the dashed line that starts the example to format the code correctly.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keeping [WARNING] and added [source,yaml]