Hello, I am collecting windows event logs via MS windows event log collector and then forwarded to graylog via winlogbeats. I am getting alerts to parsing errors for a winlogbeat field shown below due to the field data being in the incorrect format. I verified the event logs that are failing have data in the "processcreationtime" field not in a date/time format. I also show an example of a event log below that is parsing properly with the correct date/time format. So I have a conflict here, with two different data format types. From reading I learned that dynamically elastic learns the type from the populated data, which it has. What do I do about the other logs that have the data in a different format? Edit: I bet it has something to do with winlogbeats.yml configuration, maybe under processors: ? Any recommendations?
graylog parsing error message
[type=mapper_parsing_exception, reason=failed to parse field [winlogbeat_winlog_event_data_ProcessCreationTime] of type [date] in document with id '9ae0bcb9-d2fa-11ed-ab3f-5ced8c62e140'. Preview of field's value: '0x1d96701c22c85b6']];
windows event log - parsing error due to field with wrong data format:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" Guid="{a0e9b465-b939-57d7-b27d-95d8e925ff57}" />
<EventID>1000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>100</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-04-04T15:08:46.4429091Z" />
<EventRecordID>8328</EventRecordID>
<Correlation />
<Execution ProcessID="17216" ThreadID="16092" />
<Channel>Application</Channel>
<Computer>xxxxxxxxxxxxl</Computer>
<Security UserID="xxxxxxxxxxxxxxxxxxxxxx" />
</System>
- <EventData>
<Data Name="AppName">mmc.exe</Data>
<Data Name="AppVersion">10.0.22621.1</Data>
<Data Name="AppTimeStamp">151c64e4</Data>
<Data Name="ModuleName">mso20win32client.dll</Data>
<Data Name="ModuleVersion">0.0.0.0</Data>
<Data Name="ModuleTimeStamp">63e58f6a</Data>
<Data Name="ExceptionCode">01483052</Data>
<Data Name="FaultingOffset">000000000023176d</Data>
<Data Name="ProcessId">0x380c</Data>
<Data Name="ProcessCreationTime">0x1d96701c22c85b6</Data>
<Data Name="AppPath">C:\WINDOWS\system32\mmc.exe</Data>
<Data Name="ModulePath">C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll</Data>
<Data Name="IntegratorReportId">67b66e02-c754-41c6-9a15-0f38f97025e0</Data>
<Data Name="PackageFullName" />
<Data Name="PackageRelativeAppId" />
</EventData>
</Event>
Event parsing properly with correct data format for field:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5379</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-04-04T17:41:37.3849558Z" />
<EventRecordID>25376954</EventRecordID>
<Correlation ActivityID="{8dc0fab5-6229-0002-eefa-c08d2962d901}" />
<Execution ProcessID="1148" ThreadID="15828" />
<Channel>Security</Channel>
<Computer>xxxxxxxxxxxxxxx</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">xxxxxxxxxxxxxxxxxxx</Data>
<Data Name="SubjectUserName">xxxxxxx</Data>
<Data Name="SubjectDomainName">xxxxxxx</Data>
<Data Name="SubjectLogonId">0xxxxxxx</Data>
<Data Name="TargetName">MicrosoftOffice16_Data:live:cid=*</Data>
<Data Name="Type">0</Data>
<Data Name="CountOfCredentialsReturned">0</Data>
<Data Name="ReadOperation">%%8100</Data>
<Data Name="ReturnCode">3221226021</Data>
<Data Name="ProcessCreationTime">2023-04-03T00:57:16.4942675Z</Data>
<Data Name="ClientProcessId">3808</Data>
</EventData>
</Event>