How are failed logins tracked? I have lots of winlog.event_id: 4771 indicating a login failure, but if I look at SIEM, it shows thousands of successful logins and 0 failed logins.
Hi @wwalker, failed logins have to contain event.category: authentication and event.type: authentication_failure (successful logins event.type: authentication_success). Winlogbeat has a security module since version 7.2 that fills those fields.
Yes, I see that in the winlogbeat reference file and I've included it in my winlogbeat.yml config on the agents. Below is my config, the paths are valid and files are present.
winlogbeat.event_logs:
- name: Application
ignore_older: 720h
- name: Security
ignore_older: 720h
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: System
ignore_older: 720h
- name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
The security log module is very new and only handles the event IDs documented at https://www.elastic.co/guide/en/beats/winlogbeat/7.2/winlogbeat-module-security.html. But it is possible to customize the module until we can add 4771. For example a user has added 4634 to the module then opened a PR in https://github.com/elastic/beats/pull/12906/files.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.