WInlogbeat %1 instead values from windows event

1. Describe your incident:
I started my Graylog server and configured and ran Winlogbeat. In Graylog I see the flows from my Windows computer, but I have for example:
account name: %1
domain name: %2
logon type: %9ect.
For example, on Windows %1 is Computer1, domain name is testDomian ect.

2. describe your environment:
OS Information:
Ubuntu 22.04

  • Package version:
    Graylog v5.0.3

3. what steps have you already taken to solve the problem?

4. how can the community help?
How do I configure winlogbeat or openserach or graylog to get correct values for windows events?

What version of winlogbeat and windows are you using? The reason iIam asking is there have been some known issues on very new versions of windows.

Windows 11 22H2 (22621.1265)
Winlogbeat 7.17.9
Winlogbeat configuration:

  hosts: ["ip:5044"]

  - name: Application
    ignore_older: 168h
  - name: Security
    ignore_older: 168h
  - name: System
    ignore_older: 168h
  - name: Windows PowerShell
    ignore_older: 168h

You most likely have unfortunatly hit a known winlogbeat bug. Winlogbeat sending winevt with '%' variables and not the replacement values on Win11 22H2 · Issue #33966 · elastic/beats · GitHub

I don’t know if any known workarounds as of yet as the issue is happening on the client side.

Oh and on top of that winlogbeat 7 is not officially supported on windows 11 and server 2022. Support Matrix | Elastic

1 Like

Thank you for help!
Topic closed.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.