Hey there!
I've found that WinLogBeat is doing some translation of SID's. I'm hoping to leverage this translation for event logs that have multiple SID's. Ie. Event ID 4757 has an SID field for the member being added.
I'm looking to see if there is any way to leverage the SID lookup for this field as well.
Worst case, I can use logstash to trim down the Distinguished Name that is shipped by default with the event.
Thanks!
There's no way to configure Winlogbeat to translate other fields at this time. There is an open feature request that I would like to see implemented. You can follow it at https://github.com/elastic/beats/issues/7451.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.