Miss the field winlog.keywords in ForwardedEvents event_logs

all the security Events have the the field winlog.keywords but ForwardedEvents don't Forward it.

How can i configure the winlogbeat.yml file that the ForwardedEvents fordward the field winlog.keywords ?

winlog.keywords is required: False
How can i make it true?

Try to use inlude_fields but it doesn' work

  • name: ForwardedEvents
    - include_fields:
    has_fields: ["winlog.computer_name"]
    fields: ["winlog.keywords"]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.