Winlogbeat and Windows Event Fowarder (WEF) Wrong Hostname

SeekAndDestroy · February 11, 2020, 3:54pm

Hi. Last year, I configured Windows Event Forwarding to send 6 Windows Domain Controllers their Security Logs to a centralized server. The server has WinlogBeat reading the forwarded events, and sending them to Elasticsearch (On the same machine).

The host information being indexed only shows the Centralized log server, not that of the actual DC where the event was pushed from. The correct host is contained in the Winlog.event_data. Is this normal? If not, what do I need to do to fix it?

My Winlogbeat.yml is very basic:

winlogbeat.event_logs:
- name: ForwardedEvents
- name: Application

Thanks,
J

andrewkroh · February 18, 2020, 2:43pm

The latest version of Winlogbeat uses the event log's computer_name value in the host.name field. Try the latest release.

SeekAndDestroy · February 18, 2020, 2:56pm

Thank you, that worked!

system · March 17, 2020, 2:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Migrating Winlogbeat to Elastic Agent (WEF/WEC) Elastic Agent winlogbeat	0	49	August 21, 2024
Winlogbeat performance issue Beats winlogbeat	5	1680	August 31, 2018
Winlogbeat running on Windows Event Collector - logs use the collector name instead of log sources Beats winlogbeat	8	1321	January 15, 2018
Winlogbeat does not write specific eventlog status in registry file Beats winlogbeat	8	938	July 16, 2018
Duplicate entries with Winlogbeat with WEF Beats winlogbeat	4	1124	June 10, 2020

Winlogbeat and Windows Event Fowarder (WEF) Wrong Hostname

Related topics