Winlogbeat 7.4.0 is occasionally producing this:
"date_partition": {
"day": "05",
"month": "12",
"year": "2019"
},
"@version": "1",
"log": {
"level": "information"
},
"winlog": {
"computer_name": "Server2106.acme.local",
"api": "wineventlog",
"activity_id": "{519A1A6E-AAF4-0000-871A-9A51F4AAD501}",
"provider_name": "Microsoft-Windows-Directory-Services-SAM",
"user": {
"identifier": "S-1-5-18",
"domain": "NT AUTHORITY",
"name": "SYSTEM",
"type": "User"
},
"task": "",
"process": {
"pid": 580,
"thread": {
"id": 584
}
},
"event_data": {
"Default SD String:": "O:SYG:SYD:(A;;RC;;;BA)"
},
.....
Notice the event_data field. It appears to be identifying "Default SD String" as a field with a corresponding value. This seems incorrect because 1) "Default SD String" is not a valid ECS field and 2) it has spaces in it. This is causing me problems on the elastic side.
Does any one have any ideas, solutions?