Digging deeper I see a new index created by the system-datastream after update:
.ds-logs-system.security-default-2025.07.25-000109
This new index contains all the missing data. I still don't know, why the data is ignored by discover, security-solution, etc. A new data-view that matches the index-name still doesn't show the containing data (as if it would belong to a different namespace..)
here the redacted json of one of these new documents:
{
"_index": ".ds-logs-system.security-default-2025.07.25-000109",
"_id": "2K3cWZgBWyYtx9iNduY7",
"_version": 1,
"_source": {
"agent": {
"name": "redacted",
"id": "c79d80bc-77fb-4426-a88e-406ec7a928cb",
"type": "filebeat",
"ephemeral_id": "0a85fabe-5dd0-4fe8-ae42-5af0f254faff",
"version": "9.0.4"
},
"process": {
"pid": 0
},
"winlog": {
"computer_name": "redacted.redacted",
"process": {
"pid": 816,
"thread": {
"id": 7152
}
},
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x0",
"type": "Network"
},
"channel": "Security",
"event_data": {
"LogonGuid": "{94defd40-a7fa-24ae-36fd-93bb3d0f4696}",
"VirtualAccount": "%%1843",
"ElevatedToken": "%%1843",
"LogonProcessName": "Kerberos",
"LogonType": "3",
"SubjectLogonId": "0x0",
"KeyLength": "0",
"TargetLogonId": "0x1312b4b1",
"TargetLinkedLogonId": "0x0",
"ImpersonationLevel": "%%1833",
"AuthenticationPackageName": "Kerberos"
},
"opcode": "Info",
"version": 2,
"record_id": "3639298",
"event_id": "4624",
"task": "Logon",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id": "{87b2c1c0-0ac3-4a3b-990f-aa4a2a53d8f1}",
"provider_name": "Microsoft-Windows-Security-Auditing"
},
"log": {
"level": "information"
},
"elastic_agent": {
"id": "c79d80bc-77fb-4426-a88e-406ec7a928cb",
"version": "9.0.4",
"snapshot": false
},
"source": {
"port": 58108,
"ip": "redacted"
},
"message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-4152262007-3599866771-78062822-6185\n\tAccount Name:\t\tredacted\n\tAccount Domain:\t\tredacted\n\tLogon ID:\t\t0x1312B4B1\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{94defd40-a7fa-24ae-36fd-93bb3d0f4696}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tredacted\n\tSource Port:\t\t58108\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
"input": {
"type": "winlog"
},
"@timestamp": "2025-07-30T05:44:24.611Z",
"ecs": {
"version": "8.11.0"
},
"related": {
"ip": [
"redacted"
],
"user": [
"redacted"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "system.security"
},
"host": {
"hostname": "redacted",
"os": {
"build": "20348.3932",
"kernel": "10.0.20348.3932 (WinBuild.160101.0800)",
"name": "Windows Server 2022 Standard",
"family": "windows",
"type": "windows",
"version": "10.0",
"platform": "windows"
},
"ip": [
"fe80::567e:da0e:1038:debf",
"redacted"
],
"name": "redacted",
"id": "4dbed58c-404f-481c-aaed-0e88b3de3a43",
"mac": [
"00-50-56-88-79-E7"
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"ingested": "2025-07-30T05:44:37Z",
"code": "4624",
"provider": "Microsoft-Windows-Security-Auditing",
"created": "2025-07-30T05:44:25.893Z",
"kind": "event",
"action": "logged-in",
"category": [
"authentication"
],
"type": [
"start"
],
"dataset": "system.security",
"outcome": "success"
},
"user": {
"domain": "redacted",
"name": "redacted",
"id": "S-1-5-21-4152262007-3599866771-78062822-6185"
}
},
"fields": {
"winlog.event_data.AuthenticationPackageName": [
"Kerberos"
],
"elastic_agent.version": [
"9.0.4"
],
"event.category": [
"authentication"
],
"host.os.name.text": [
"Windows Server 2022 Standard"
],
"winlog.provider_guid": [
"{54849625-5478-4994-a5ba-3e3b0328c30d}"
],
"winlog.provider_name": [
"Microsoft-Windows-Security-Auditing"
],
"host.name.text": [
"redacted"
],
"host.hostname": [
"redacted"
],
"process.pid": [
0
],
"winlog.computer_name": [
"redacted.redacted"
],
"host.mac": [
"00-50-56-88-79-E7"
],
"winlog.process.pid": [
816
],
"winlog.event_data.KeyLength": [
"0"
],
"agent.name.text": [
"redacted"
],
"host.os.version": [
"10.0"
],
"winlog.keywords": [
"Audit Success"
],
"winlog.record_id": [
"3639298"
],
"winlog.event_data.VirtualAccount": [
"%%1843"
],
"winlog.logon.id": [
"0x0"
],
"host.os.name": [
"Windows Server 2022 Standard"
],
"log.level": [
"information"
],
"source.ip": [
"redacted"
],
"agent.name": [
"redacted"
],
"host.name": [
"redacted"
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"winlog.activity_id": [
"{87b2c1c0-0ac3-4a3b-990f-aa4a2a53d8f1}"
],
"event.outcome": [
"success"
],
"winlog.version": [
2
],
"host.os.type": [
"windows"
],
"user.id": [
"S-1-5-21-4152262007-3599866771-78062822-6185"
],
"input.type": [
"winlog"
],
"data_stream.type": [
"logs"
],
"related.user": [
"redacted"
],
"host.architecture": [
"x86_64"
],
"event.provider": [
"Microsoft-Windows-Security-Auditing"
],
"event.code": [
"4624"
],
"agent.id": [
"c79d80bc-77fb-4426-a88e-406ec7a928cb"
],
"source.port": [
58108
],
"ecs.version": [
"8.11.0"
],
"event.created": [
"2025-07-30T05:44:25.893Z"
],
"winlog.event_data.LogonGuid": [
"{94defd40-a7fa-24ae-36fd-93bb3d0f4696}"
],
"agent.version": [
"9.0.4"
],
"host.os.family": [
"windows"
],
"winlog.process.thread.id": [
7152
],
"winlog.event_data.TargetLinkedLogonId": [
"0x0"
],
"user.name": [
"redacted"
],
"winlog.event_data.ElevatedToken": [
"%%1843"
],
"host.os.build": [
"20348.3932"
],
"host.ip": [
"fe80::567e:da0e:1038:debf",
"redacted"
],
"agent.type": [
"filebeat"
],
"event.module": [
"system"
],
"winlog.event_data.SubjectLogonId": [
"0x0"
],
"related.ip": [
"redacted"
],
"winlog.event_data.TargetLogonId": [
"0x1312b4b1"
],
"host.os.kernel": [
"10.0.20348.3932 (WinBuild.160101.0800)"
],
"elastic_agent.snapshot": [
false
],
"user.domain": [
"redacted"
],
"host.id": [
"4dbed58c-404f-481c-aaed-0e88b3de3a43"
],
"winlog.event_data.ImpersonationLevel": [
"%%1833"
],
"winlog.task": [
"Logon"
],
"elastic_agent.id": [
"c79d80bc-77fb-4426-a88e-406ec7a928cb"
],
"data_stream.namespace": [
"default"
],
"winlog.logon.type": [
"Network"
],
"message": [
"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-4152262007-3599866771-78062822-6185\n\tAccount Name:\t\tredacted\n\tAccount Domain:\t\tredacted\n\tLogon ID:\t\t0x1312B4B1\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{94defd40-a7fa-24ae-36fd-93bb3d0f4696}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\tredacted\n\tSource Port:\t\t58108\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
],
"winlog.event_data.LogonProcessName": [
"Kerberos"
],
"winlog.event_id": [
"4624"
],
"event.action": [
"logged-in"
],
"event.ingested": [
"2025-07-30T05:44:37.000Z"
],
"@timestamp": [
"2025-07-30T05:44:24.611Z"
],
"winlog.channel": [
"Security"
],
"winlog.event_data.LogonType": [
"3"
],
"host.os.platform": [
"windows"
],
"data_stream.dataset": [
"system.security"
],
"event.type": [
"start"
],
"winlog.opcode": [
"Info"
],
"agent.ephemeral_id": [
"0a85fabe-5dd0-4fe8-ae42-5af0f254faff"
],
"event.dataset": [
"system.security"
],
"user.name.text": [
"redacted"
]
}
}
