After you have run the script and your server is automatically configured as Event Forwarder Collector with ElasticSearch, Kibana and WinLogBeat correctly installed, is time to dig in Kibana and start to extract information.
You probably have already checked the default Winlogbeat dashboard:
But for deep searching and event filtering you have to use the “Discover” part of Kibana.
In the “Discover” you can search for a specific Event ID for example:
For that, in the search bar you should select the source of the data, in this case: "winlog.event_id", the next thing is if you want an exact match (":") or a ("like" for example), and then the Event ID your looking for.
The matching logged events are presented down below, and you can expand them to see the details of every reported event:
The field “Message” contains the details of the event.
Is also possible to search for a specific word in the message of the event:
In this case I was using the Event Message as source ("winlog.event_data.Detail"), since I didn't want an exact match I used “Like” as the filtering criteria, and “NewUser4” (an user account I had created a few minutes earlier).
Once again, the details of the event were present correctly in the “Message” field.
Is even possible to combine searches into a unique query to be even more specific in the search:
Only 16 record were found.
One last thing. Don’t forget to set the time filtering correctly.
Is possible to configure the specific date or even time range inside the search bar if you need.