Hi all,
The goal is to have the event that the raw log from event viewer was first generated inside the windows event log. That way I will have two time stamps one from the pipeline @timestamp and a event_created timestamp.
I have managed to get this working for the latest version of winlogbeat by adding the following processor to my winlogbeat.yml file:
processors:
- add_locale:
format: abbreviation
This adds some fields like:
"created": "2019-10-29T12:43:44.741Z", "timezone": "GMT", "kind": "event"
However with version 6.3 (currently what we are using for prod) it only adds local timezone instead of an actual timestamp.
Any ideas? Thanks in advance