Hi. Last year, I configured Windows Event Forwarding to send 6 Windows Domain Controllers their Security Logs to a centralized server. The server has WinlogBeat reading the forwarded events, and sending them to Elasticsearch (On the same machine).
The host information being indexed only shows the Centralized log server, not that of the actual DC where the event was pushed from. The correct host is contained in the Winlog.event_data. Is this normal? If not, what do I need to do to fix it?
My Winlogbeat.yml is very basic:
- name: ForwardedEvents
- name: Application