Can someone tell me the best way to troubleshoot missing windows events from winlogbeat in elastic. We are using WEC to get events to a central collector. That collector is running winlogbeat to send to logstash and then elastic. We have noticed that we are missing events. For example, we see some 4728 (group change) events but not all. Thanks for any help.
1 Like
Do you see any helpful messages on the endpoint in the C:\programdata\winlogbeat folder?
Thanks @mgotechlock . I did check the logs and only found successful publish events. Which starts to make me think that the bottleneck might be the actual Windows Server doing the collecting. If anyone else has troubleshot dropped events with a Windows Event Forwarding (WEF) configuration, I should would appreciate the guidance. Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.