elastic · marc-gr · Apr 17, 2026 · Apr 17, 2026
@@ -2,6 +2,9 @@ condition: ${host.platform} == 'windows'
 data_stream:
   dataset: {{data_stream.dataset}}
 name: {{channel}}
+{{#if forwarded}}
+forwarded: true
+{{/if}}
 {{#if xml_query}}
 xml_query: {{xml_query}}
 {{else}}

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.6.0"
+  changes:
+    - description: Add `forwarded` option to winlog input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/18500
 - version: "2.5.0"
   changes:
     - description: Improve documentation

@@ -3,7 +3,7 @@ name: winlog
 title: Custom Windows Event Logs
 description: Collect and parse logs from any Windows event log channel with Elastic Agent.
 type: input
-version: "2.5.0"
+version: "2.6.0"
 conditions:
   kibana:
     version: '^8.10.1 || ^9.0.0'
@@ -52,6 +52,18 @@ policy_templates:
         type: bool
         multi: false
         default: false
+      - name: forwarded
+        required: true
+        show_user: true
+        title: Forwarded events
+        description: >-
+          Indicates if this will be consuming forwarded events. If `true` the integration will assume the events 
+          were not generated in the host. This MUST be set to `true` if the integration is consuming forwarded events
+          like in WEF setups, otherwise the integration could run in a degraded state due to inconsistencies in the events
+          correlation. If the channel being consumed is `ForwardedEvents` this is going to be set to `true` regardless of the value set here.
+        type: bool
+        multi: false
+        default: false
       - name: providers
         type: text
         title: Providers