No Windows logs

[redla1N]

Hello, colleagues!
I have a big problem - Windows events are not coming from the agents.
Version SO 2.4.120

Windows logging works, and the Forwarded Events log also works, but SO doesn't want to take it away.
The agent has the HEALTHY status.
My SO installation is distributed

What can I do to identify the reason for the missing logs and get them?

ElastAlert always in status: Pending Import or SyncFailed

[kspringer-maf]

I don't understand why you have a screenshot of 'Detections' when your question is about Logs. Detections are rules that get compared against existing logs to create Alerts. You need to go to the 'Hunt' section and search for your logs to be sure you can find them first.
Here's a sample Hunt query that should give you some good results to prove your Windows Event logs are getting ingested by SO.
* AND event.module: "endpoint" | groupby event.module* event.dataset | groupby "host.name"

[kspringer-maf]

It sounds like you don't know the basics of the system. You need to go through the training.
https://securityonionsolutions.com/training#free-training

[redla1N]

I've watched this tutorial, but I haven't found the right answer to my questions.
please help me solve the problem with the lack of logs from WEC.

[redla1N]

@kspringer-maf
I do politic for agent, but i dont have alerts from windows. can u help me pls

[cm-ops]

#14727 (reply in thread)

If this is the same install, you need an ingest node.