I'm using Elastic Stack v7.4.0 and I have a single winlogbeat on the Windows Server that receive with WEF all event of security of differents other server.
So I just correct by logstash, that I used to filter all traffic to Elasticsearch, the content of field host.name with the value of winlog.computer_name.
Now I see in the host tab all servers but in authentication I don't see the accesses. I collect the information of different DC. What could I do? At the moment I see the user access in the field winlog.event_data.TargetUserName. Could I move the content of field winlog.event_data.TargetUserName in user.name?