Winlogbeat and Windows Event Fowarder (WEF) Wrong Hostname

Hi. Last year, I configured Windows Event Forwarding to send 6 Windows Domain Controllers their Security Logs to a centralized server. The server has WinlogBeat reading the forwarded events, and sending them to Elasticsearch (On the same machine).

The host information being indexed only shows the Centralized log server, not that of the actual DC where the event was pushed from. The correct host is contained in the Winlog.event_data. Is this normal? If not, what do I need to do to fix it?

My Winlogbeat.yml is very basic:

winlogbeat.event_logs:
- name: ForwardedEvents
- name: Application

Thanks,
J

The latest version of Winlogbeat uses the event log's computer_name value in the host.name field. Try the latest release.

• https://github.com/elastic/beats/pull/14625
• https://github.com/elastic/beats/issues/13706

Thank you, that worked!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.