Are there best practices for Elastic Agent and event forwarding in Windows domains?
Scenario:
We collect Windows events from domain members via Windows Event Forwarding (WEF). On the collecting machine (WEC) Winlogbeat is installed and processes the "ForwardedEvents" channel. The logs are sent to ELK infrastructure (Logstash). The setup is based on Elastic documentation (Ingest Windows Event Logs via WEC & WEF | Elastic Blog).
Plan:
We replaced Winlogbeat with Elastic Agent (Windows integration with only "ForwardedEvents" channel).
Problem:
As expected the agent is writing all events into one data stream (logs-winlog.forwarded-<namespace>). The problem is that all builtin rules for Windows are using either the Winlogbeat index or the special data streams Elastic Agent creates for each log channel (e.g. logs-winlog-powershell-<namespace>). Thereby, no alarms are triggered for ingested forwarded events.
I am interested also in opinions and the best way to proceed here in a sustainable way.
Many thanks in advance