Hello. Why the results of logs with winlogbeat 7.2 is differents between Windows 10 1803 (not have an Windows event ID) and windows 1903 (have an windows event ID like 4624, 4800)? The configuration has the same in both systemes. Thanks
Can you share your configuration please?
winglogbeat uses system libraries to query the logs. I wonder if there is a difference/bug with windows itself.
Hello Miran, I tried to repro the issue with latest WInlogbeat and ES available on the downloads page. I see event id's. I setup two VM's with Windows 10 1803 April and May updates, they talk to a local ES node. I let it run for a bit while running query below every now and then. I'm afraid we'll need more information to diagnose this.
curl -sSL -XGET -H "content-type: application/json" \
http://192.168.132.1:9200/_search?size=9999 -d @esq2 \
| jq '.hits.total'
file esq2:
{
"query": {
"bool": {
"must_not": {
"exists": {
"field": "winlog.event_id"
}}}}}
Response body:
{
"value": 0,
"relation": "eq"
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.