Using Windows Event Forwarded logs

Hi. I have gotten DNIF up and running and is exploring the product, but have some issues using WEF logs (ingesting these)
All events are treated as if they have origin of the WEF server, not the actual server which is forwardning the logs.
I assume that a extraction policy should be in place for this? Can you point me in the direction of modifying the winlogbeat extration to, correctly, extract the fields from forwarded events?

Hey @thomasJ ,

Here is reference link that I came across on Googling which might be useful for you → Configure Winlogbeat

Thank for the feedback Blackbird, but that is basic Winlog beat config. It hit close to home, so I stumbled upon this from Elastic, their WEC Server Cookbook, which actually has a script that generate the “correct” parsing of WEC/WEF logs: WEC Server Cookbook

Hey @thomasJ - Wow…you came across a gem of a document for Winlogbeat on WEC, thanks for sharing :wink: really appreciate it… :clap: