Winlogbeat timestamp different with event create time

Jacky1 · July 8, 2021, 9:28am

Dears

I got a very strange problem. We installed winlogbeat v7.2 and directly shipped windows event log to ES, configurations about winlogbeat as below:

name: Security
ignore_older: 24h
name: Microsoft-Windows-NTLM/Operational
ignore_older: 24h

The logs shipped to ES but for Winlogbeat security channel ,the @timestamp was before the actually event create time ,however the  @timestamp of Microsoft-Windows-NTLM/Operational was correct.
 Outputs from ES as below:
 1.for security channel:

2.for NTLM channel:

Can someone else help me . This issue make me crazy....

andrewkroh · July 8, 2021, 11:37am

@timestamp is the original event log timestamp. event.created is when Winlogbeat generated the document it sends to Elasticsearch.

Elastic Common Schema (ECS) describes the relationship between the timestamps (event.ingested isn't populated out-of-the-box by Winlogbeat.)

In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested .

Jacky1 · July 9, 2021, 3:38am

Thanks, Andrew
After investigating the originally events on windows server , seems the winlogbeat agent can't handle the events timely.
May i know how to speed up the winlogbeat handling performance in order to decrease the time difference.

system · August 6, 2021, 5:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.