Winlogbeat read Windows Event id 4732 but not Member Security ID?

We have noticed that the Winlogbeat agent will read and ship up the event id 4732 (User added to local Security Group) but we noticed that it is missing the Member Security ID (which is the user that is getting added). In the Windows Event Log, we can see the Member - Security ID is cleartext but when ingesting into logstash we have the SID GUID instead.

Any way we can get the name instead of the SID?


On your event, could you click on Details > XML View.
What do you see for the mentioned field SID or name ?

What you see in the Event Viewer is not what is really shipped. this MMC likes to translate a lot of things to be more human readable, like SIDs -> Samaccountname...
The XML view is the real content of an event.

You can use the translate_sid processor.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.