Registry Fields with Winlogbeat

TheBob · February 17, 2026, 7:26pm

Running an Elastic Stack version 8 server. Trying to get Winlogbeat to send events to the server and run some detection rules alerts on them, but not getting all the expected fields configured.

E.g. one of the rules monitors registry changes and is looking for both winlog.event_data.Details and registry.path fields, which I understand should be part of the ECS Windows mappings:

I’ve tried:

a) Enabling auditing for the registry, and get 4657 events generated in the event log and these get shipped to Logstash (also tried shipping directly to ES). They appear to get some ECS mapping (e.g. ecs.version = 8.0.0, event.code = 4657) but neither of the fields expected by the detection rule is populated.

b) Installing sysmon and shipping those events there’s a little bit of progress. The winlog.event_data.Details is populated, but not the registry.

There’s a datastream in the stack management and it’s using a winlogbeat mapping.

I’m a bit stumped as to what we’re missing.

andrewkroh · February 17, 2026, 10:05pm

It sounds like you might be missing the ingest pipelines, because that is what creates the registry fields from the sysmon data, if I remember correctly. Did you install the ingest pipelines?

In your config file, at least the default one that ships with Winlogbeat, specifies the name of the ingest pipeline. You should see that if you look in winlogbeat.yml. Like beats/x-pack/winlogbeat/winlogbeat.yml at 8de6b1fe48766cd5ae124cc031770c370f7a3dd3 · elastic/beats · GitHub

Topic		Replies	Views
Winlogbeat pipeline Beats winlogbeat	1	312	July 11, 2021
Winlogbeat and ECS Beats winlogbeat	8	2224	October 30, 2018
Winlogbeat 8.6 process fields not populated Beats winlogbeat	2	345	August 17, 2023
Winlogbeat 8.0.0 parsing with module Beats beats-module , winlogbeat	10	607	December 8, 2022
Winlogbeat not writing all events to Elasticsearch Elasticsearch	3	381	August 31, 2020

Registry Fields with Winlogbeat

Related topics