hello,
we are trying to send windows event logs using winlogbeat 7.XX version , we are creating severals of dashboards based on the correlation rules of event built on top of event ,sysmon and security logs ex : event.id =1 AND winlog.event_data.Commandline=ipconfig.exe (this is a visualization).
we observered that events fields are changing across different winlogbetas version , this is impacting our dashboard ( ex 6.71 to 7.1) . This affect all our correlation rules and dashboards.
(Event_id ---> Event.code / Winlog.event_id is being append to mostly all fields)
We observed that in 7.XX we have ECS format that is being used or supported ,
Since we have many event_id being received from windows event viewer .
What is the recommended solution in such situation where we have many event_id being received from windows event viewer?
Should send the winlogbeat to Logstash to parse it based on event_id , in a continuous development upon any winlogbeat change , in a way the fields on kibana are intact ?
OR we should send automatically to Elastic and relay on Winlogbeat ECS format which might be a standard?