Field 'Logon ID' not available

smmaalam · March 21, 2019, 4:09pm

Hi everyone,

I'm using Kibana 5.0 for visualizing Windows Event Logs like the following:

My Problem is, that there are two Logon ID's and Kibana is using the first one to be a field, but I need the second one for filtering. What can I do? Do I have to change the mapping in ElasticSearch? I'm new to the ELK-Stack. =)

Thanks in advance!

Marius_Dragomir · March 22, 2019, 12:03pm

Hello,
What are you using to ingest the Windows Event Logs in kibana? There might be a way to filter that ID out in order to have it as a separate field for you.

smmaalam · March 22, 2019, 4:36pm

Hello Marius,

we are using Wazuh Agents to collect the data und had to change the decoders. Thank you for your help but the Problem is solved. =)

Marius_Dragomir · March 25, 2019, 12:05pm

It would be cool if you could share how you fixed the problem, for anybody else that might hit this snag.

system · April 22, 2019, 12:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.