1. Describe your incident:
I started my Graylog server and configured and ran Winlogbeat. In Graylog I see the flows from my Windows computer, but I have for example:
account name: %1
domain name: %2
logon type: %9ect.
For example, on Windows %1 is Computer1, domain name is testDomian ect.
2. describe your environment:
- Package version:
3. what steps have you already taken to solve the problem?
4. how can the community help?
How do I configure winlogbeat or openserach or graylog to get correct values for windows events?
What version of winlogbeat and windows are you using? The reason iIam asking is there have been some known issues on very new versions of windows.
Windows 11 22H2 (22621.1265)
- name: Application
- name: Security
- name: System
- name: Windows PowerShell
You most likely have unfortunatly hit a known winlogbeat bug. Winlogbeat sending winevt with '%' variables and not the replacement values on Win11 22H2 · Issue #33966 · elastic/beats · GitHub
I don’t know if any known workarounds as of yet as the issue is happening on the client side.
Oh and on top of that winlogbeat 7 is not officially supported on windows 11 and server 2022. Support Matrix | Elastic
Thank you for help!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.