Enrich information with the administrator flag

Hi all

I try to enrich the information that I send to Logstash.

I'd like to add a field in the winlogbeat index with a label like administrator and in this field I'd like to set YES for the user that is admin of the pc/server or NO for the user that is not admin of the pc/server.

Is it possible? At the moment I don't found solution...

Thank you

Yes. It is possible using Logstash Mutate plugin.

filter {
  mutate {
    add_tag => [ "tag-name" ]

There is more information:

Hi @vasek I could add a tag ADMIN for the administrators user in the logstash filter, but how could I found the administrators user? In the winlogbeat.yml file could I set this configuration?

I need an example

Thank you

In winlogbeat filebeat you can add field for specific log file. This can be useful if you have separated log for adminstrators and users.. e.g.: adminsitrators.log, users.logs.

If you have mixed content in log.. you have to parse eveng, for example using Grok patterns in logstash. Based on result of parsing you can tag events.

Ok I like the idea to have two log, one for administrators and one for users. How could I set the winlogbeat.yml file to have this 2 files?

Thank you

Sry. I thought about filebeat.. I am going to edit answer.

Thank you @vasek. I'm waiting your reply...


Based on eventID you can filter some messages.

There is some event ID list:

Or try to parse events using Grok patterns in logstash. Based on result of parsing you can tag events.

I know this list but I don't have a grok patterns to give me the result of user admin or user simple.

Do you have some idea?

Thank you

1) Tag events based on selected eventID

if ( [eventID] == 42 or [eventID] == 2019 ) {
do something ... e.g.: add tag or field to document

2) Parsing Windows Events
Look at a document which is collected by Filebeat from Windows server. You can use CURL utility or Kibana to see this document. You will parse field where message is present.

You can test your Grok pattern in Kibana - Dev Tools - Grok Debugger. There is nice explanation.

There is some prepared Grok Reg Exp.

Thank you @vasek I know all information that you give me.

I found a script in windows that give in output all administrator users. Is it possible in winlogbeat to check if the event capture is created by one of this users (that I could store in a text file)?

Thank you

I am not sure that you can do it on Winlogbeat side. You can definitely filter based on e.g.:

  • winlogbeat.event_logs
  • event_logs.event_id

More about filtering here.

Filtering messages on Logstash could be fine.. try Logstash translate filter plugin.

You can provide list of users to this plugin.

Good luck.


please allow me to come back to the original question and how identify, which mode the actual beat is running at the moment.
I hope I understood you correctly.

You can always identify which context the beat is running in using environment variables combines with conditionals:

With the help of that I can give you following differences:

CMD without admin mode
  env variable: SESSIONNAME=Console
CMD with admin mode
  missing env variable SESSIONNAME

Now the difference between a program execute in admin mode or in a service context

CMD with admin mode:

CMD with Service mode:

These contexts belong to Windows 10 but should be similar under a Windows Server version.

So hope that helps a bit additionally.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.