User ID cannot be displayed properly

User ID cannot be displayed properly

When you say that it's not displayed properly what exactly do you mean?

Winlobeat just passes the event_data fields through from what it finds in the event log. You should be able to open up the Event Viewer, find this log message by using the record_number, view the raw XML representation of the event, and verify that they are equivalent.

Perhaps you want to be able to translate SID values to names? https://github.com/elastic/beats/issues/7451

yes!I want to be able to translate SID values to names,
I've seen this https://github.com/elastic/beats/issues/7451
I also read a lot of solutions you wrote to solve the problem of change.
But I don't understand. Is this translation a function of Winlogbeat, or does it need to be debugged by myself?
I am from China and my English is poor. Please forgive me.

thank you for your reply!

Translation of SIDs to names is not a feature yet.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.