Hi,
I'm using winlogbeat in DC that are in different languages (English and Spanish).
Looking at the event.outcome I realized that was missing in the events coming from the DC with Spanish set.
That is because the event.outcome is populated in the security module based in the text coming in the winlog.keywords field and apparently depends on the language .
My question is: how the winlog.keywords events is generated? Because in the raw event we only have the keywords field with
0x8010000000000000 -> Indicates Failure
0x8020000000000000 -> Indicates Success
Should be better to preserve the original values in order not to be language-dependant?
(and modify the mapping in the security module)
@andrewkroh, what do you think?
Thank you
Regards
Ana