Field 'Logon ID' not available

smmaalam · March 21, 2019, 4:09pm

Hi everyone,

I'm using Kibana 5.0 for visualizing Windows Event Logs like the following:

My Problem is, that there are two Logon ID's and Kibana is using the first one to be a field, but I need the second one for filtering. What can I do? Do I have to change the mapping in ElasticSearch? I'm new to the ELK-Stack. =)

Thanks in advance!

Marius_Dragomir · March 22, 2019, 12:03pm

Hello,
What are you using to ingest the Windows Event Logs in kibana? There might be a way to filter that ID out in order to have it as a separate field for you.

smmaalam · March 22, 2019, 4:36pm

Hello Marius,

we are using Wazuh Agents to collect the data und had to change the decoders. Thank you for your help but the Problem is solved. =)

Marius_Dragomir · March 25, 2019, 12:05pm

It would be cool if you could share how you fixed the problem, for anybody else that might hit this snag.

system · April 22, 2019, 12:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Some windows event ID message cant be displayed in kibana? Kibana	4	952	August 10, 2016
Cannot add new field from event type Logstash	3	612	November 14, 2019
Kibana : field event_id not available in bucket (from winlogbeat) Kibana	2	787	May 18, 2020
Windows log visualization for a number of events per day Kibana	3	2740	December 9, 2019
Logstash - No Cached mapping Logstash	5	606	March 26, 2019

Field 'Logon ID' not available

Related Topics