Server send security events with WEF and in Authentication tab I don't found all accesses

franco.federico · February 13, 2020, 2:02pm

Hi all

I'm using Elastic Stack v7.4.0 and I have a single winlogbeat on the Windows Server that receive with WEF all event of security of differents other server.

So I just correct by logstash, that I used to filter all traffic to Elasticsearch, the content of field host.name with the value of winlog.computer_name.

Now I see in the host tab all servers but in authentication I don't see the accesses. I collect the information of different DC. What could I do? At the moment I see the user access in the field winlog.event_data.TargetUserName. Could I move the content of field winlog.event_data.TargetUserName in user.name?

Thank you
Franco

system · March 12, 2020, 2:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Monitor Windows Logons win Winlogbeat Beats winlogbeat	2	362	June 25, 2020
Config check, filtering out users Beats winlogbeat	2	352	August 26, 2021
Winlogbeat and Windows Event Fowarder (WEF) Wrong Hostname Beats winlogbeat	3	1178	March 17, 2020
Elasticsearch filter plugin and winlogbeat Logstash	2	207	June 25, 2021
Winlogbeat logs sent through logstash aren't parsed correctly Beats winlogbeat	4	603	August 8, 2023

Server send security events with WEF and in Authentication tab I don't found all accesses

Related topics