Hello everyone, I'mtrying to fill my Elastic SIEM with data, but it seems like Winlogbeat is not shipping logs in full ECS. For example, authentications wiget is empty: [изображение] And it is formed by such default request: { "aggregations": { "eventActionGroup": { "terms": { …

Hi This is interesting. For 7.9.0 I would expect the event section to look like this for a 4624: "event": { "action": "logged-in", "category": "authentication", "code": 4624, "kind": "event", "module": "security", "outcome": "success", "provider": "Micros…

Winlogbeat 7.9 not shipping logs in full ECS?

Elastic Security SIEM

MartinL September 24, 2020, 11:28am 5

Hi again, nevermind my last post. I found an answer to my issues (which was exactly the same as yours) in this post.

(ELK 7.9.1) Security - Hosts and Security - Network missing data

Topic		Replies	Views
SIEM doesn't show any Winlogbeat events, despite ES receiving them SIEM	12	3480	May 8, 2020
Winlogbeat event.type has 0 records Beats	1	248	March 24, 2020
Populating SIEM SIEM	2	422	August 12, 2020
Active Directory logs and mapping to ECS (I am stumped) SIEM ecs-elastic-common-schema	7	7942	November 11, 2019
Winlogbeat logs only show that it is 6kb Beats winlogbeat	9	359	April 13, 2023

Winlogbeat 7.9 not shipping logs in full ECS?

(ELK 7.9.1) Security - Hosts and Security - Network missing data

Related Topics