Failed Logins

How are failed logins tracked? I have lots of winlog.event_id: 4771 indicating a login failure, but if I look at SIEM, it shows thousands of successful logins and 0 failed logins.

Hi @wwalker, failed logins have to contain event.category: authentication and event.type: authentication_failure (successful logins event.type: authentication_success). Winlogbeat has a security module since version 7.2 that fills those fields.

Yes, I see that in the winlogbeat reference file and I've included it in my winlogbeat.yml config on the agents. Below is my config, the paths are valid and files are present.

winlogbeat.event_logs:
  - name: Application
    ignore_older: 720h
  - name: Security
    ignore_older: 720h
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
  - name: System
    ignore_older: 720h
  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

The security log module is very new and only handles the event IDs documented at https://www.elastic.co/guide/en/beats/winlogbeat/7.2/winlogbeat-module-security.html. But it is possible to customize the module until we can add 4771. For example a user has added 4634 to the module then opened a PR in https://github.com/elastic/beats/pull/12906/files.