I'm using winlogbeat to transfer data logs from event viewer. However, I have a problem with the timestamp. I'm not sure if it carry over the timestamp from the original log. Or is it overwriting during the indexing of data to elasticsearch.
I am not sure I understand your question. Let me know if this reply does not answer your question.
Winlogbeat preserves the timestamp of event logs from Windows and stores it under the field @timestamp. If you selected that field in ES as a timestamp, you should have no problem. Winlogbeat puts the time of creating an event internally (in Winlogbeat) in the field event.created. So you can have both read time and the timestamp of the event.
Yes. You got my question right.
I check my data and there are duplicates. The same timestamp. I assumed that maybe the timestamp is when the data indexed into ES.
Since you said that Winlogbeat preserves the timestamp of the event logs from Windows, I'll need to check another cause for data duplication.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.