Categorization of logs in windows

I am trying to take the records to create user account, delete user account and modify user account.

I have also been asked to take audit events on files and folders, this send it to logstash.

I have already installed winlogbeat and it is already sending data to logstash and this to elasticsearch but I do not know which event corresponds to each of the aforementioned actions, my knowledge of log log storage in windows is null.

I don't know if anyone has had the same problem, thank you very much.

We have started building a module for the Security event log that will apply categorization and normalization based on Elastic Common Schema (ECS). You can try out the module or look at its source code to see what it does.

• https://www.elastic.co/guide/en/beats/winlogbeat/master/winlogbeat-module-security.html
• https://www.elastic.co/guide/en/ecs/current/ecs-reference.html

We're still working on developing the categories that will go into ECS.

Thank you

Waiting for more updates to this library.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.