Winlogbeat and Windows Event Fowarder (WEF) Wrong Hostname

SeekAndDestroy · February 11, 2020, 3:54pm

Hi. Last year, I configured Windows Event Forwarding to send 6 Windows Domain Controllers their Security Logs to a centralized server. The server has WinlogBeat reading the forwarded events, and sending them to Elasticsearch (On the same machine).

The host information being indexed only shows the Centralized log server, not that of the actual DC where the event was pushed from. The correct host is contained in the Winlog.event_data. Is this normal? If not, what do I need to do to fix it?

My Winlogbeat.yml is very basic:

winlogbeat.event_logs:
- name: ForwardedEvents
- name: Application

Thanks,
J

andrewkroh · February 18, 2020, 2:43pm

The latest version of Winlogbeat uses the event log's computer_name value in the host.name field. Try the latest release.

SeekAndDestroy · February 18, 2020, 2:56pm

Thank you, that worked!

system · March 17, 2020, 2:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Migrating Winlogbeat to Elastic Agent (WEF/WEC) Elastic Agent winlogbeat	0	41	August 21, 2024
Winlogbeat running on Windows Event Collector - logs use the collector name instead of log sources Beats winlogbeat	8	1318	January 15, 2018
Unable to ship logs using Winlogbeat due to poor Windows API Performance Beats winlogbeat	1	198	February 7, 2024
Winlogbeat 8.8.2 is not sending events to any pipeline Beats winlogbeat	2	317	August 23, 2023
Missed Events Beats winlogbeat	1	378	January 4, 2023

Winlogbeat and Windows Event Fowarder (WEF) Wrong Hostname

Related Topics