Hi All,
I just set up winlogbeat on a domain controller to check for failed AD logins.
I am wondering, that I have really many documents in my discovery, but all of them are "empty". On the other side, in SIEM I can see the data. Is this normal? And if yes, how can I avoid it? Many emtpy documents in discovery are not really usefull imho 
My winlogbeat config:
I have my own ILM and already imported the template manually, so this is disabled. I am also wondering, that there seems to be no ingest pipelines, which can be imported.
winlogbeat.event_logs:
#- name: Application
# ignore_older: 72h
#- name: System
- name: Security
ignore_older: 48h
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
#- name: Microsoft-Windows-Sysmon/Operational
# processors:
# - script:
# lang: javascript
# id: sysmon
# file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
#-------------------------- Elasticsearch output -------------------------------
output.elasticsearch:
hosts: ["hot1:9200","hot2:9200"]
compression_level: 9
username: "beats"
password: "xxx"
worker: 2
setup.dashboards.enabled: false
setup.template.enabled: false
setup.ilm.enabled: false
logging.to_files: true
monitoring.enabled: true
Cheers,
Marcus