The logs shipped to ES but for Winlogbeat security channel ,the @timestamp was before the actually event create time ,however the @timestamp of Microsoft-Windows-NTLM/Operational was correct.
Outputs from ES as below:
1.for security channel:
Thanks, Andrew
After investigating the originally events on windows server , seems the winlogbeat agent can't handle the events timely.
May i know how to speed up the winlogbeat handling performance in order to decrease the time difference.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.