Hello All,
I'm having an issue where it seems the same events keeps getting pushed to Logstash (or kibana/es?). When I look for an Event ID in Discovery, I see a lot of the same event occurrences, with the same timestamp and same winlog.record_id. To me, it seems like the exact same event, there is no difference between them, except that _id and document_number is different.
I assume it isn't suppose to be like that right? Because it's pushing an insane amount of logs this way. Also it makes it hard to create visuals this way as I can't really see how often, for example, a failed logon occurred.
Is it possible to filter out duplicate winlog.record_id or something of the kind?
Or have any idea what could be the issue?