In my cluster configuration, I have two ingest nodes, two data node and 1 kibana(coordinate node). Also, i have configured a central event collector in Windows server 2016 and installed winlog beat and filebeat on the same server. clients push event logs to this windows server. which is further forwarded to the elasticsearch by the beat clients. In kibana, only the central event collector is shown as hosts. Can we change it somehow to show the actual number of hosts from which the logs are collected.
I believe you may need to change the visualization(s) to use the winlog.computer_name field. https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-winlog.html#_winlog
1 Like
Thanks. That should work. I changed for filebeat and now SIEM shows correct number of linux hosts.
Is there any way we can add the ip address also. In windows events, ip address field is empty. It is only having hostname. Is there any way we can parse the ip address using the hostname and add it to the forwarded log using winlogbeat.
Please note all out client is agentless. Windows clients are forwarding logs to a central log collector where winlogbeat is installed. Winlogbeat is forwarding these logs to the elasticsearch.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.