Hi,
until now using winlogbeat 7.X, tried winlogbeat 8.6.1 but agent does not parse/populate process.XXX fields anymore, it only uses fields in winlog.event_data.XXX instead. Is there any easy obvious solution, instead of parsing this via logstash, to have populated both, winlog.event_data.Image and process.executable? (Maybe only process.XXX fields will be enough) Config is pretty basic, only processor is used to drop some events. Thanks.
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
PS: in winlogbeat 7. processors were used that probably did what i have in mind, in config referenced:
- name: Security
ignore_older: 72h
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
but in 8 they are replaced by:
${path.home}/module/security/ingest/winlogbeat.yml
Much love,
SS