Partial field value matching post Winlogbeat upgrade to 8.1

Psyhil · March 21, 2022, 3:47pm

Hi All,

We are using elk 7.17.1 with winlogbeat version 7.8 version with ECS version 1.5.
While testing out winlogbeat 8.1.0 with ECS version 8.0.0, now my lucene queries are now doing partial matches.
A simple example of Lucene query

winlog.event_data.Image:C\:\\Windows\\System32\\schtasks.exe

is doing partial matching the field winlog.event_data.Image and listing anything with C or

C:\
C:\Windows\
C:\Windows\System32\

This behavior is not seen with data in indexes with winlogbeat agent 7.8
Expected matches were where field value is C:\Windows\System32\schtasks.exe

Did I miss something here?

Thank you in advance!

Psyhil · March 22, 2022, 1:24pm

Tried using Beats 7.17.1 version and seeing same issue, downgraded the winlogbeat to 7.8 and the queries started working normally.

Out of ideas what may have changed.

system · April 19, 2022, 3:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.