System Integration Windows Security Logs no Log Enhancements after v. 8.19

Joshua_H · September 15, 2025, 7:46am

Hello all,

I have been running into the issue, that after updating my On-Prem Elastic-Stack (Single-node cluster) from v. 8.18 to 8.19 and the system integration for fleet as well, that the Windows security logs are missing some fields, or to be precise everything with user.*. Logs are still sent, everything else works as expected, as far as I can tell. Only my custom Dashboards as well as the default Windows Security Dashboards shipped with the system integration are not usable anymore due to the mapped fields.

Currently I am running v. 8.19.3 and v. 2.6.0 for the system integration. I tried updating the stack to the newest version as well as the system integration and redeploying the agent on the domain controller. I am not sure how to proceed or further troubleshoot this.

Here are two logs, one before the update and one after.

Before:

{
  "_index": ".ds-logs-system.security-windows-2025.08.13-000098",
  "_id": "ubVK4ZgBgpOFjFAF0qdQ",
  "_version": 1,
  "_source": {
    "agent": {
      "name": "ALST-HH-DC1",
      "id": "19ece9a4-9d82-4534-ad9a-5bf263707c49",
      "ephemeral_id": "1f4c4def-e2d9-425d-8789-66d80d18677b",
      "type": "filebeat",
      "version": "8.18.2"
    },
    "winlog": {
      "computer_name": "ALST-HH-DC1.domain.local",
      "process": {
        "pid": 788,
        "thread": {
          "id": 7012
        }
      },
      "keywords": [
        "Überwachung erfolgreich"
      ],
      "logon": {
        "id": "0x35aababe"
      },
      "channel": "Security",
      "event_data": {
        "SubjectUserName": "adminaccount",
        "TargetSid": "S-1-5-21-338608204-2689096227-197484634-12682",
        "SubjectDomainName": "DOMAIN",
        "SubjectLogonId": "0x35aababe",
        "TargetUserName": "NB-HH-0025$",
        "TargetDomainName": "DOMAIN",
        "SubjectUserSid": "S-1-5-21-338608204-2689096227-197484634-8760"
      },
      "opcode": "Info",
      "record_id": "496577724",
      "event_id": "4725",
      "task": "User Account Management",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "activity_id": "{4549ccb9-10e1-0001-49cd-4945e110dc01}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "log": {
      "level": "informationen"
    },
    "elastic_agent": {
      "id": "19ece9a4-9d82-4534-ad9a-5bf263707c49",
      "version": "8.18.2",
      "snapshot": false
    },
    "message": "Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-8760\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x35AABABE\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12682\n\tKontoname:\t\tNB-HH-0025$\n\tKontodomäne:\t\tDOMAIN",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2025-08-25T12:53:43.738Z",
    "ecs": {
      "version": "8.11.0"
    },
    "related": {
      "user": [
        "adminaccount",
        "NB-HH-0025$"
      ]
    },
    "data_stream": {
      "namespace": "windows",
      "type": "logs",
      "dataset": "system.security"
    },
    "host": {
      "hostname": "ALST-HH-DC1",
      "os": {
        "build": "20348.4052",
        "kernel": "10.0.20348.4050 (WinBuild.160101.0800)",
        "name": "Windows Server 2022 Datacenter",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.20.45"
      ],
      "name": "alst-hh-dc1",
      "id": "4fb6fc6a-8e37-48c1-8f38-1251e3389612",
      "mac": [
        "00-50-56-9A-E3-B7"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2025-08-25T12:53:53Z",
      "code": "4725",
      "provider": "Microsoft-Windows-Security-Auditing",
      "kind": "event",
      "created": "2025-08-25T12:53:44.860Z",
      "action": "disabled-user-account",
      "category": [
        "iam"
      ],
      "type": [
        "user",
        "deletion"
      ],
      "dataset": "system.security",
      "outcome": "success"
    },
    "user": {
      "domain": "DOMAIN",
      "name": "adminaccount",
      "id": "S-1-5-21-338608204-2689096227-197484634-8760",
      "target": {
        "domain": "DOMAIN",
        "name": "NB-HH-0025$",
        "id": "S-1-5-21-338608204-2689096227-197484634-12682"
      }
    }
  },
  "fields": {
    "elastic_agent.version": [
      "8.18.2"
    ],
    "event.category": [
      "iam"
    ],
    "host.os.name.text": [
      "Windows Server 2022 Datacenter"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "host.name.text": [
      "alst-hh-dc1"
    ],
    "host.hostname": [
      "ALST-HH-DC1"
    ],
    "winlog.computer_name": [
      "ALST-HH-DC1.domain.local"
    ],
    "host.mac": [
      "00-50-56-9A-E3-B7"
    ],
    "user.target.id": [
      "S-1-5-21-338608204-2689096227-197484634-12682"
    ],
    "winlog.process.pid": [
      788
    ],
    "agent.name.text": [
      "ALST-HH-DC1"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Überwachung erfolgreich"
    ],
    "winlog.record_id": [
      "496577724"
    ],
    "winlog.logon.id": [
      "0x35aababe"
    ],
    "host.os.name": [
      "Windows Server 2022 Datacenter"
    ],
    "log.level": [
      "informationen"
    ],
    "agent.name": [
      "ALST-HH-DC1"
    ],
    "host.name": [
      "alst-hh-dc1"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "user.target.name.text": [
      "NB-HH-0025$"
    ],
    "event.kind": [
      "event"
    ],
    "winlog.activity_id": [
      "{4549ccb9-10e1-0001-49cd-4945e110dc01}"
    ],
    "event.outcome": [
      "success"
    ],
    "winlog.event_data.TargetUserName": [
      "NB-HH-0025$"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-21-338608204-2689096227-197484634-8760"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "adminaccount",
      "NB-HH-0025$"
    ],
    "user.target.name": [
      "NB-HH-0025$"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4725"
    ],
    "agent.id": [
      "19ece9a4-9d82-4534-ad9a-5bf263707c49"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "event.created": [
      "2025-08-25T12:53:44.860Z"
    ],
    "agent.version": [
      "8.18.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-21-338608204-2689096227-197484634-8760"
    ],
    "winlog.process.thread.id": [
      7012
    ],
    "user.name": [
      "adminaccount"
    ],
    "host.os.build": [
      "20348.4052"
    ],
    "host.ip": [
      "192.168.20.45"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x35aababe"
    ],
    "winlog.event_data.TargetSid": [
      "S-1-5-21-338608204-2689096227-197484634-12682"
    ],
    "host.os.kernel": [
      "10.0.20348.4050 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "user.target.domain": [
      "DOMAIN"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "DOMAIN"
    ],
    "host.id": [
      "4fb6fc6a-8e37-48c1-8f38-1251e3389612"
    ],
    "winlog.task": [
      "User Account Management"
    ],
    "elastic_agent.id": [
      "19ece9a4-9d82-4534-ad9a-5bf263707c49"
    ],
    "data_stream.namespace": [
      "windows"
    ],
    "winlog.event_data.SubjectUserName": [
      "adminaccount"
    ],
    "message": [
      "Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-8760\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x35AABABE\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12682\n\tKontoname:\t\tNB-HH-0025$\n\tKontodomäne:\t\tDOMAIN"
    ],
    "winlog.event_id": [
      "4725"
    ],
    "event.action": [
      "disabled-user-account"
    ],
    "event.ingested": [
      "2025-08-25T12:53:53.000Z"
    ],
    "@timestamp": [
      "2025-08-25T12:53:43.738Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "event.type": [
      "user",
      "deletion"
    ],
    "winlog.event_data.TargetDomainName": [
      "DOMAIN"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "1f4c4def-e2d9-425d-8789-66d80d18677b"
    ],
    "winlog.event_data.SubjectDomainName": [
      "DOMAIN"
    ],
    "event.dataset": [
      "system.security"
    ],
    "user.name.text": [
      "adminaccount"
    ]
  }
}

After:

{
  "_index": ".ds-logs-system.security-windows-2025.08.27-000099",
  "_id": "vVTv9ZgBd7iXe8vO-Qpc",
  "_version": 1,
  "_ignored": [
    "event.original.keyword",
    "message.keyword"
  ],
  "_source": {
    "@timestamp": "2025-08-29T13:06:33.550Z",
    "host": {
      "name": "alst-hh-dc2",
      "architecture": "x86_64",
      "os": {
        "type": "windows",
        "platform": "windows",
        "version": "10.0",
        "family": "windows",
        "name": "Windows Server 2022 Datacenter",
        "kernel": "10.0.20348.4050 (WinBuild.160101.0800)",
        "build": "20348.4052"
      },
      "id": "596edf47-0f75-4550-b1f0-5f411df71934",
      "ip": [
        "192.168.20.48"
      ],
      "mac": [
        "00-50-56-9A-28-CC"
      ],
      "hostname": "ALST-HH-DC2"
    },
    "log": {
      "level": "informationen"
    },
    "message": "Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x57C99044\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\n\tKontoname:\t\tuseraccount\n\tKontodomäne:\t\tDOMAIN",
    "input": {
      "type": "winlog"
    },
    "elastic_agent": {
      "id": "feac96be-3a6d-4f36-a001-f223c416a1ef",
      "snapshot": false,
      "version": "8.19.2"
    },
    "agent": {
      "id": "feac96be-3a6d-4f36-a001-f223c416a1ef",
      "ephemeral_id": "404fc75a-d67e-4a1e-8b8f-194f4b262ae8",
      "name": "ALST-HH-DC2",
      "type": "filebeat",
      "version": "8.19.2"
    },
    "winlog": {
      "channel": "Security",
      "opcode": "Info",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "event_data": {
        "SubjectDomainName": "DOMAIN",
        "SubjectLogonId": "0x57c99044",
        "TargetUserName": "useraccount",
        "TargetDomainName": "DOMAIN",
        "TargetSid": "S-1-5-21-338608204-2689096227-197484634-11695",
        "SubjectUserSid": "S-1-5-21-338608204-2689096227-197484634-12233",
        "SubjectUserName": "adminaccount"
      },
      "process": {
        "pid": 804,
        "thread": {
          "id": 2612
        }
      },
      "api": "wineventlog",
      "task": "User Account Management",
      "record_id": 547042761,
      "computer_name": "ALST-HH-DC2.domain.local",
      "event_id": "4725",
      "provider_name": "Microsoft-Windows-Security-Auditing",
      "keywords": [
        "Überwachung erfolgreich"
      ]
    },
    "event": {
      "outcome": "success",
      "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-08-29T13:06:33.5504032Z'/><EventRecordID>547042761</EventRecordID><Correlation/><Execution ProcessID='804' ThreadID='2612'/><Channel>Security</Channel><Computer>ALST-HH-DC2.domain.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>useraccount</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetSid'>S-1-5-21-338608204-2689096227-197484634-11695</Data><Data Name='SubjectUserSid'>S-1-5-21-338608204-2689096227-197484634-12233</Data><Data Name='SubjectUserName'>adminaccount</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x57c99044</Data></EventData><RenderingInfo Culture='de-DE'><Message>Ein Benutzerkonto wurde deaktiviert.\r\n\r\nAntragsteller:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\r\n\tKontoname:\t\tadminaccount\r\n\tKontodomäne:\t\tDOMAIN\r\n\tAnmelde-ID:\t\t0x57C99044\r\n\r\nZielkonto:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\r\n\tKontoname:\t\tuseraccount\r\n\tKontodomäne:\t\tDOMAIN</Message><Level>Informationen</Level><Task>User Account Management</Task><Opcode>Info</Opcode><Channel>Sicherheit</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Überwachung erfolgreich</Keyword></Keywords></RenderingInfo></Event>",
      "action": "User Account Management",
      "created": "2025-08-29T13:06:34.655Z",
      "code": "4725",
      "kind": "event",
      "dataset": "system.security",
      "provider": "Microsoft-Windows-Security-Auditing"
    },
    "data_stream": {
      "type": "logs",
      "dataset": "system.security",
      "namespace": "windows"
    },
    "ecs": {
      "version": "8.0.0"
    }
  },
  "fields": {
    "agent.version.keyword": [
      "8.19.2"
    ],
    "elastic_agent.version": [
      "8.19.2"
    ],
    "host.name.keyword": [
      "alst-hh-dc2"
    ],
    "event.dataset.keyword": [
      "system.security"
    ],
    "event.outcome.keyword": [
      "success"
    ],
    "host.hostname": [
      "ALST-HH-DC2"
    ],
    "host.mac": [
      "00-50-56-9A-28-CC"
    ],
    "winlog.process.pid": [
      804
    ],
    "data_stream.namespace.keyword": [
      "windows"
    ],
    "winlog.event_data.TargetDomainName.keyword": [
      "DOMAIN"
    ],
    "host.os.version": [
      "10.0"
    ],
    "agent.name": [
      "ALST-HH-DC2"
    ],
    "event.outcome": [
      "success"
    ],
    "host.os.type": [
      "windows"
    ],
    "agent.id.keyword": [
      "feac96be-3a6d-4f36-a001-f223c416a1ef"
    ],
    "input.type": [
      "winlog"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4725"
    ],
    "agent.id": [
      "feac96be-3a6d-4f36-a001-f223c416a1ef"
    ],
    "winlog.provider_name.keyword": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-21-338608204-2689096227-197484634-12233"
    ],
    "winlog.api.keyword": [
      "wineventlog"
    ],
    "winlog.process.thread.id": [
      2612
    ],
    "input.type.keyword": [
      "winlog"
    ],
    "data_stream.dataset.keyword": [
      "system.security"
    ],
    "elastic_agent.version.keyword": [
      "8.19.2"
    ],
    "host.ip": [
      "192.168.20.48"
    ],
    "agent.type": [
      "filebeat"
    ],
    "host.os.kernel.keyword": [
      "10.0.20348.4050 (WinBuild.160101.0800)"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x57c99044"
    ],
    "winlog.event_data.TargetSid": [
      "S-1-5-21-338608204-2689096227-197484634-11695"
    ],
    "data_stream.type.keyword": [
      "logs"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "event.provider.keyword": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.id": [
      "596edf47-0f75-4550-b1f0-5f411df71934"
    ],
    "agent.type.keyword": [
      "filebeat"
    ],
    "agent.ephemeral_id.keyword": [
      "404fc75a-d67e-4a1e-8b8f-194f4b262ae8"
    ],
    "agent.name.keyword": [
      "ALST-HH-DC2"
    ],
    "elastic_agent.id": [
      "feac96be-3a6d-4f36-a001-f223c416a1ef"
    ],
    "event.action": [
      "User Account Management"
    ],
    "@timestamp": [
      "2025-08-29T13:06:33.550Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "winlog.event_data.TargetDomainName": [
      "DOMAIN"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "404fc75a-d67e-4a1e-8b8f-194f4b262ae8"
    ],
    "winlog.event_data.SubjectDomainName": [
      "DOMAIN"
    ],
    "winlog.event_id.keyword": [
      "4725"
    ],
    "winlog.event_data.SubjectLogonId.keyword": [
      "0x57c99044"
    ],
    "host.architecture.keyword": [
      "x86_64"
    ],
    "elastic_agent.id.keyword": [
      "feac96be-3a6d-4f36-a001-f223c416a1ef"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "host.os.build.keyword": [
      "20348.4052"
    ],
    "winlog.event_data.SubjectUserName.keyword": [
      "adminaccount"
    ],
    "event.code.keyword": [
      "4725"
    ],
    "winlog.computer_name": [
      "ALST-HH-DC2.domain.local"
    ],
    "ecs.version.keyword": [
      "8.0.0"
    ],
    "host.ip.keyword": [
      "192.168.20.48"
    ],
    "winlog.keywords": [
      "Überwachung erfolgreich"
    ],
    "winlog.record_id": [
      547042761
    ],
    "winlog.event_data.TargetUserName.keyword": [
      "useraccount"
    ],
    "winlog.keywords.keyword": [
      "Überwachung erfolgreich"
    ],
    "event.kind.keyword": [
      "event"
    ],
    "host.os.name": [
      "Windows Server 2022 Datacenter"
    ],
    "log.level": [
      "informationen"
    ],
    "event.action.keyword": [
      "User Account Management"
    ],
    "host.id.keyword": [
      "596edf47-0f75-4550-b1f0-5f411df71934"
    ],
    "host.name": [
      "alst-hh-dc2"
    ],
    "event.kind": [
      "event"
    ],
    "host.os.version.keyword": [
      "10.0"
    ],
    "winlog.event_data.TargetUserName": [
      "useraccount"
    ],
    "event.original": [
      "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-08-29T13:06:33.5504032Z'/><EventRecordID>547042761</EventRecordID><Correlation/><Execution ProcessID='804' ThreadID='2612'/><Channel>Security</Channel><Computer>ALST-HH-DC2.domain.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>useraccount</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetSid'>S-1-5-21-338608204-2689096227-197484634-11695</Data><Data Name='SubjectUserSid'>S-1-5-21-338608204-2689096227-197484634-12233</Data><Data Name='SubjectUserName'>adminaccount</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x57c99044</Data></EventData><RenderingInfo Culture='de-DE'><Message>Ein Benutzerkonto wurde deaktiviert.\r\n\r\nAntragsteller:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\r\n\tKontoname:\t\tadminaccount\r\n\tKontodomäne:\t\tDOMAIN\r\n\tAnmelde-ID:\t\t0x57C99044\r\n\r\nZielkonto:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\r\n\tKontoname:\t\tuseraccount\r\n\tKontodomäne:\t\tDOMAIN</Message><Level>Informationen</Level><Task>User Account Management</Task><Opcode>Info</Opcode><Channel>Sicherheit</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Überwachung erfolgreich</Keyword></Keywords></RenderingInfo></Event>"
    ],
    "winlog.event_data.SubjectDomainName.keyword": [
      "DOMAIN"
    ],
    "data_stream.type": [
      "logs"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2025-08-29T13:06:34.655Z"
    ],
    "host.hostname.keyword": [
      "ALST-HH-DC2"
    ],
    "agent.version": [
      "8.19.2"
    ],
    "winlog.event_data.SubjectUserSid.keyword": [
      "S-1-5-21-338608204-2689096227-197484634-12233"
    ],
    "host.os.family": [
      "windows"
    ],
    "log.level.keyword": [
      "informationen"
    ],
    "winlog.computer_name.keyword": [
      "ALST-HH-DC2.domain.local"
    ],
    "host.os.build": [
      "20348.4052"
    ],
    "host.os.kernel": [
      "10.0.20348.4050 (WinBuild.160101.0800)"
    ],
    "host.os.name.keyword": [
      "Windows Server 2022 Datacenter"
    ],
    "winlog.provider_guid.keyword": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.task": [
      "User Account Management"
    ],
    "winlog.task.keyword": [
      "User Account Management"
    ],
    "host.mac.keyword": [
      "00-50-56-9A-28-CC"
    ],
    "data_stream.namespace": [
      "windows"
    ],
    "winlog.event_data.SubjectUserName": [
      "adminaccount"
    ],
    "message": [
      "Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x57C99044\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\n\tKontoname:\t\tuseraccount\n\tKontodomäne:\t\tDOMAIN"
    ],
    "winlog.event_id": [
      "4725"
    ],
    "winlog.channel.keyword": [
      "Security"
    ],
    "host.os.family.keyword": [
      "windows"
    ],
    "host.os.type.keyword": [
      "windows"
    ],
    "host.os.platform.keyword": [
      "windows"
    ],
    "winlog.event_data.TargetSid.keyword": [
      "S-1-5-21-338608204-2689096227-197484634-11695"
    ],
    "winlog.opcode.keyword": [
      "Info"
    ],
    "event.dataset": [
      "system.security"
    ]
  },
  "ignored_field_values": {
    "message.keyword": [
      "Ein Benutzerkonto wurde deaktiviert.\n\nAntragsteller:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\n\tKontoname:\t\tadminaccount\n\tKontodomäne:\t\tDOMAIN\n\tAnmelde-ID:\t\t0x57C99044\n\nZielkonto:\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\n\tKontoname:\t\tuseraccount\n\tKontodomäne:\t\tDOMAIN"
    ],
    "event.original.keyword": [
      "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-08-29T13:06:33.5504032Z'/><EventRecordID>547042761</EventRecordID><Correlation/><Execution ProcessID='804' ThreadID='2612'/><Channel>Security</Channel><Computer>ALST-HH-DC2.domain.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>useraccount</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetSid'>S-1-5-21-338608204-2689096227-197484634-11695</Data><Data Name='SubjectUserSid'>S-1-5-21-338608204-2689096227-197484634-12233</Data><Data Name='SubjectUserName'>adminaccount</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x57c99044</Data></EventData><RenderingInfo Culture='de-DE'><Message>Ein Benutzerkonto wurde deaktiviert.\r\n\r\nAntragsteller:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-12233\r\n\tKontoname:\t\tadminaccount\r\n\tKontodomäne:\t\tDOMAIN\r\n\tAnmelde-ID:\t\t0x57C99044\r\n\r\nZielkonto:\r\n\tSicherheits-ID:\t\tS-1-5-21-338608204-2689096227-197484634-11695\r\n\tKontoname:\t\tuseraccount\r\n\tKontodomäne:\t\tDOMAIN</Message><Level>Informationen</Level><Task>User Account Management</Task><Opcode>Info</Opcode><Channel>Sicherheit</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Überwachung erfolgreich</Keyword></Keywords></RenderingInfo></Event>"
    ]
  }
}

Joshua_H · September 22, 2025, 7:23am

I have not found anything similar regarding the system integration. Is someone able to point me into the right direction on how to further proceed? Thank you in advance.

Joshua_H · October 8, 2025, 2:10pm

Hello, I still have not found any solutions to this issue. Is there someone able to assist in any way? Thank you.

Joshua_H · October 8, 2025, 3:15pm

It seems the processors for winlog.event_data.SubjectUserSid and .TargetUserSid are missing in the config on the server after the update under the system.security dataset. I am not certain if this is by design or not and if just adding those manually might fix it.

Topic		Replies	Views
Selected windows log events Beats winlogbeat	3	1075	April 12, 2016
Winlogbeat - no winlog.logon.id Beats winlogbeat	22	2777	September 14, 2020
Elastic Agent Custom Windows Event Logs Beats winlogbeat	5	4334	June 15, 2022
Message filed is missing when Winlogbeat is used Beats winlogbeat	12	2565	October 10, 2017
Authentications tab shows "All values returned zero" SIEM	15	1394	October 6, 2020

System Integration Windows Security Logs no Log Enhancements after v. 8.19

Related topics