Hi all,
I'm struggling with a windows event to publish.
Event xml below, strongs fields aren't publish by Winlogbeat.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-Lifecycle-System" Guid="{bc0669e1-a10d-4a78-834e-1ca3c806c93b}" />
<EventID>1003</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-10-16T16:02:39.728582800Z" />
<EventRecordID>167</EventRecordID>
<Correlation />
<Execution ProcessID="140" ThreadID="2436" />
<Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational</Channel>
<Computer>server.exemple.local</Computer>
<Security UserID="S-0" />
</System>
***- <UserData>***
***- <CertNotificationData ProcessName="taskhostw.exe" AccountName="exemple\server$" Context="Machine">***
***- <CertificateDetails Thumbprint="11d11">***
*** <Template Name="Template Name" OID="1.0.0" /> ***
***- <SubjectNames>***
*** <SubjectName>CN=server.exemple.local</SubjectName> ***
*** <SubjectName>server.exemple.local</SubjectName> ***
*** <SubjectName>server</SubjectName> ***
*** <SubjectName>exemple.local</SubjectName> ***
*** </SubjectNames>***
***- <EKUs>***
*** <EKU Name="Server Authentication" OID="1.3.6.1.5.5.7.3.1" /> ***
*** <EKU Name="Client Authentication" OID="1.3.6.1.5.5.7.3.2" /> ***
*** </EKUs>***
*** <NotValidAfter>2021-10-16T16:07:44Z</NotValidAfter> ***
*** </CertificateDetails>***
*** </CertNotificationData>***
*** </UserData>***
</Event>
Winlogbeat DEBUG:
2022-01-18T17:45:31.940+0100 DEBUG [processors] processing/processors.go:203 Publish event: {
"@timestamp": "2021-09-24T08:02:33.486Z",
"@metadata": {
"beat": "winlogbeat",
"type": "_doc",
"version": "7.13.4"
},
"event": {
"code": "1003",
"kind": "event",
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
"created": "2022-01-18T16:45:31.940Z"
},
"message": "A certificate is about to expire. Please refer to the \"Details\" section for more information
"fields": {
"env": "DEV",
},
"log": {
"level": "warning"
},
"host": {
"name": "server.exemple.com"
},
"winlog": {
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM",
"type": "User",
"identifier": "S-1-5-18"
},
"provider_name": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
"record_id": 75,
"opcode": "Info",
"api": "wineventlog",
"computer_name": "server.exemple.com",
"provider_guid": "{b}",
"process": {
"pid": 4168,
"thread": {
"id": 4700
}
},
"event_id": "1003"
},
"tags": [
"type1"
],
"ecs": {
"version": "1.9.0"
},
"agent": {
"ephemeral_id": "463f0e5c-3deb-4255-8387-7db955fe96d6",
"id": "30be004e-1fa6-48ab-b276-de6903d55376",
"name": "SERVER",
"type": "winlogbeat",
"version": "7.13.4",
"hostname": "SERVER"
}
}
Winlogbeat conf:
winlogbeat.event_logs:
- name: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
event_id: 1002,1003