Hello,
I need some orientation with my issue :
- Description : I have an ELK stack version 7.6 that collects event logs from different log sources via logstash. All endpoints (windows ends linux) send logs to logstash then logstash frowards them to Elasticsearch. No actions are done by logstash this is only so that I can have a global index under "ecs-organisation-*". Lately, after installation of sysmon on some windows server, I noticed that all the fields are populated except for process.command_line. First i thought this is only related to winlogbeat but after exploring auditbeat logs i found the same issue, meaning I can see fields like process.args, process.executable, process.working_directory populated with values except for process.command_line.
- Mapping : I use the ecs mapping template from github for all the data coming to elasticsearch. the template is applied on indexes starting sith ecs-*. I have no mapping conflicts regarding the field process.command_line.
- Data is indexed as follow :
- The field value is sent by the endpoint and included in message :
- All the other fields are extracted :
- Except for process.command_line :
Before i go and reindex my data. I would love to understand what can cause this kind of situation.
Thank you so much for all the help you're providing.