olafhartong
commented
5 years ago Hi, sorry I completely missed this question. The fields are different indeed, I wanted to use a data model to be able to onboard similar sources more easily. If you look at default/props.conf you can see the fieldmapping I'm doing to the Sysmon data.
You should not have to do anything special, apart from making sure the search macro's look in the right index
Hey, Not an issue but more a question.. Can you elaborate more about the installation process? For example how do you index the Sysmon data? I set up a UniversalForwarder, but the fields I am seeing does not seem to be what you expect in your querys.
Any thoughts?
Thanks!