Windows events forwards to log insight does not work, incomplete or wrong log

Hi! I'm trying to send windows logs with LA agent from WEC - (windows events collector) to loginsight. (by centralized logs windows)

A bug happens where loginsight does not show the contents of the logs, it shows errors, as if REGEX was applied incorrectly.

The windows logs that arrive at the wrong "loginsight" are all that contain the message "The description for Event ID XXXX from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event."

my ELK read the same logs correctly, this problem is only with loginsight.

I believe it is permission in the logs, because when I send logs originating from the collector (logged in with permission) the windows log shows correct and consequently arrives correct in loginsight, the problem is when using the log signature with collection at the source.


Labels (1)
Tags (1)
0 Kudos
0 Replies