Winlogbeat timestamp different with event create time

Elastic Stack Beats
1

Dears

I got a very strange problem. We installed winlogbeat v7.2 and directly shipped windows event log to ES, configurations about winlogbeat as below:

  • name: Security
    ignore_older: 24h
  • name: Microsoft-Windows-NTLM/Operational
    ignore_older: 24h
The logs shipped to ES but for Winlogbeat security channel ,the @timestamp was before the actually event create time ,however the  @timestamp of Microsoft-Windows-NTLM/Operational was correct.
 Outputs from ES as below:
 1.for security channel:

image
image750×487 27.6 KB

2.for NTLM channel:
image
image768×490 27.3 KB 

Can someone else help me . This issue make me crazy....
2

@timestamp is the original event log timestamp. event.created is when Winlogbeat generated the document it sends to Elasticsearch.

Elastic Common Schema (ECS) describes the relationship between the timestamps (event.ingested isn't populated out-of-the-box by Winlogbeat.)

In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested .

3

Thanks, Andrew
After investigating the originally events on windows server , seems the winlogbeat agent can't handle the events timely.
May i know how to speed up the winlogbeat handling performance in order to decrease the time difference.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.