winlog.event_data.ProcessCreationTime format

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch v2.13.0
Ubuntu 22.04 (Virtual Machine in Windows 11)
Auditbeat, Filebeat v8.13.4
Winlogbeat, Metricbeat v8.15.1

Describe the issue:
Im using winlogbeat and when I try to see the logs from the index, it shows this error:

which, I think, rises from the conflict of the field in the index and the index pattern. But when I managed to see the format of this field which is “yyyy-MM-dd’T’HH:mm:ss.SSSSSS’Z’” and I corrected the index pattern like below:

It still shows the same error. Can anyone explain to me and tell me how to fix this.

Thanks in advance.

@gray653 Could you share a single example document?

this is one of them documents:

“outcome”: “success”,
“code”: “5379”,
“kind”: “event”,
“created”: “2024-10-03T05:42:34.121Z”
},
“log”: {
“level”: “information”
}
}
},
{
“_index”: “winlogbeat-2024.10.03”,
“_id”: “GXH6UJIBYq8EvwDhDJ4-”,
“_score”: 1,
“_source”: {
“tags”: [
“beats_input_codec_plain_applied”
],
“host”: {
“os”: {
“version”: “10.0”,
“type”: “windows”,
“build”: “22631.4169”,
“family”: “windows”,
“name”: “Windows 11 Home Single Language”,
“kernel”: “10.0.22621.4169 (WinBuild.160101.0800)”,
“platform”: “windows”
},
“architecture”: “x86_64”,
“name”: “laptop-ei54aopc”,
“id”: “275270cf-bf8a-4561-a9db-cb441c6532b6”,
“mac”: [
“00-00-00-00-00-00-00-E0”,
“00-50-56-C0-00-01”,
“00-50-56-C0-00-02”,
“00-50-56-C0-00-03”,
“00-50-56-C0-00-08”,
“02-50-83-09-A2-16”,
“0A-00-27-00-00-15”,
“58-11-22-3B-97-B9”,
“B4-8C-9D-54-AB-90”,
“B4-8C-9D-54-AB-91”,
“B6-8C-9D-54-AB-A1”,
“B6-8C-9D-54-AB-B1”
],
“hostname”: “laptop-ei54aopc”,
“ip”: [
“fdfd::1a75:a13”,
“fe80::43c7:ceef:7082:a3f8”,
“26.117.10.19”,
“fe80::618:a553:52e:e23e”,
“169.254.223.6”,
“fe80::836f:1f7b:df89:9829”,
“169.254.80.50”,
“fe80::573:bc8c:f1dc:7040”,
“169.254.193.107”,
“fe80::56df:4e1:e8d6:277f”,
“169.254.92.120”,
“fe80::878d:8919:4447:db8f”,
“192.168.227.1”,
“fe80::834:2fe5:610d:ec0f”,
“192.168.2.1”,
“fe80::c8c1:4cb:4f7e:7022”,
“192.168.3.1”,
“fe80::a939:1d0d:e525:6ff5”,
“192.168.192.1”,
“fe80::a2a5:71ab:bafe:28b2”,
“10.136.246.84”,
“fe80::341b:2023:7649:7c83”,
“169.254.67.15”,
“2001:0:2851:fcb0:434:1b10:89b9:7ae3”,
“fe80::434:1b10:89b9:7ae3”
]
},
“winlog”: {
“provider_name”: “Microsoft-Windows-Security-Auditing”,
“record_id”: 2194141,
“task”: “User Account Management”,
“event_id”: “5379”,
“computer_name”: “LAPTOP-EI54AOPC”,
“channel”: “Security”,
“keywords”: [
“Audit Success”
],
“process”: {
“pid”: 1420,
“thread”: {
“id”: 1496
}
},
“api”: “wineventlog”,
“provider_guid”: “{54849625-5478-4994-a5ba-3e3b0328c30d}”,
“opcode”: “Info”,
“activity_id”: “{65d505a5-154e-0002-7306-d5654e15db01}”,
“event_data”: {
“ProcessCreationTime”: “2024-10-03T04:41:02.6074684Z”,
“ReturnCode”: “3221226021”,
“SubjectDomainName”: “LAPTOP-EI54AOPC”,
“SubjectUserSid”: “S-1-5-21-489050908-748038672-2350133774-1001”,
“TargetName”: “WindowsLive:(cert):name=gray06052003@gmail.com;serviceuri=*”,
“Type”: “0”,
“ClientProcessId”: “12484”,
“SubjectLogonId”: “0x6bc3a”,
“SubjectUserName”: “Admin”,
“ReadOperation”: “%%8100”,
“CountOfCredentialsReturned”: “0”
}
},
“type”: “JSON”,
“@version”: “1”,
“agent”: {
“version”: “8.15.1”,
“id”: “d7991ab5-036c-4a4e-9c0b-31a56291cab1”,
“ephemeral_id”: “178b04c4-7906-48d1-bc22-ff4beeb68530”,
“type”: “winlogbeat”,
“name”: “LAPTOP-EI54AOPC”
},
“@timestamp”: “2024-10-03T04:41:04.107Z”,
“ecs”: {
“version”: “8.0.0”
},

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.