I'm analizing windows event logs comming from a winlogbeat 7.2.
When looking in the logoff event (id 4634) I see that the field user.name does not exists
The field winlog.event_data.TargetUserName has the proper username (I've checked correlating LogonID from events 4624 and 4634).
As far as I can see, all security events are treated by the processor:
- name: Security
Looking into C:\Program Files\winlogbeat\module\security\config\winlogbeat-security.js I found that the winlog.event_data.TargetUserName is copied to user.name.. so I don't understand why user.name does not exists
(below the example)
Thank you very much in advance