Winlogbeat 7.5.2 no data in discovery?

Hi All,
I just set up winlogbeat on a domain controller to check for failed AD logins.
I am wondering, that I have really many documents in my discovery, but all of them are "empty". On the other side, in SIEM I can see the data. Is this normal? And if yes, how can I avoid it? Many emtpy documents in discovery are not really usefull imho :slight_smile:

My winlogbeat config:
I have my own ILM and already imported the template manually, so this is disabled. I am also wondering, that there seems to be no ingest pipelines, which can be imported.

  #- name: Application
  #  ignore_older: 72h

  #- name: System

  - name: Security
    ignore_older: 48h
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  #- name: Microsoft-Windows-Sysmon/Operational
  #  processors:
  #    - script:
  #        lang: javascript
  #        id: sysmon
  #        file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

#-------------------------- Elasticsearch output -------------------------------
  hosts: ["hot1:9200","hot2:9200"]
  compression_level: 9
  username: "beats"
  password: "xxx"
  worker: 2

setup.dashboards.enabled: false
setup.template.enabled: false
setup.ilm.enabled: false
logging.to_files: true
monitoring.enabled: true


I fixed it. Seems there was a problem with the template. Now the fields are shown

I think I am also facing this issue. Did you get any proper solution?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.