You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Windows Event Logs (including Sysmon, which is where we initially spotted this) that are ingested through Winlogbeat record the host name of the sending host as winlog.computer_name. But if they're sent via Wazuh, it's recorded as winlog.computer instead. Which isn't a big deal if your environment isn't mixing-and-matching log transports, but it's coming up now because the new Sysmon dashboards are configured to use winlog.computer_name and so they're not showing anything for environments forwarding the events via Wazuh. I've confirmed the behavior on my test machines.
After discussion with Josh B and Wes, it looks like host.name is also being set incorrectly (should be Windows endpoint agent name, instead it's the name of the receiving SO instance) and Josh thinks this is the root of the problem.
The text was updated successfully, but these errors were encountered:
Windows Event Logs (including Sysmon, which is where we initially spotted this) that are ingested through Winlogbeat record the host name of the sending host as winlog.computer_name. But if they're sent via Wazuh, it's recorded as winlog.computer instead. Which isn't a big deal if your environment isn't mixing-and-matching log transports, but it's coming up now because the new Sysmon dashboards are configured to use winlog.computer_name and so they're not showing anything for environments forwarding the events via Wazuh. I've confirmed the behavior on my test machines.
After discussion with Josh B and Wes, it looks like host.name is also being set incorrectly (should be Windows endpoint agent name, instead it's the name of the receiving SO instance) and Josh thinks this is the root of the problem.
The text was updated successfully, but these errors were encountered: