Mapping Winlogbeat old version to newest ECS

Hi, I have hundreds windows server in production with variety of windows version from windows server 2003 to the windows server 2019

I had tried to install winlogbeat 7.12.1 for windows server 2003 but there's always an error comes out so I use winlogbeat 6.4.3 and it works well there

so here is my question. winlogbeat 6.4.3 to winlogbeat 7.12.1 is quite far in the versioning and I'm sure there's some changes in the index mapping. Is there any strategy I can follow to make logs from windows server 2003 shipped by winlogbeat 6.4.3 to logstash to be exactly same as logs from winlogbeat 7.12.1 before they are indexed in the elasticsearch?

the only way I thought is to use mutate filter in the logstash and rename each fields, but I don't know all the fields that I must rename and it's mapping to the latest ECS fields. Maybe there's another workaround for this?

Thank you

Anyone can please help me?

I believe you're correct, and using Logstash to rename the fields would be the workaround.

Another item to be aware of - when working with Windows Server 2003, you'll likely run into the log message parameters not being named. There's a detailed explanation from a past discussion here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.