Filebeat Parsing error

bernaldo.penas · September 10, 2019, 9:33am

Hi:

I'm getting this error with filebeats and maybe someone can help me to try to figure out what's going on in my test lab:

WARN elasticsearch/client.go:535 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf55f8a154f06e33, ext:79600414613469, loc:(*time.Location)(0x30d3480)}, Meta:common.MapStr(nil), Fields:common.MapStr{"agent":map[string]interface {}{"id":"003", "ip":"192.168.6.59", "name":"windows2012"}, "data":map[string]interface {}{"win":map[string]interface {}{"eventdata":map[string]interface {}{"authenticationPackageName":"NTLM", "failureReason":"%%2313", "keyLength":"0", "logonProcessName":"NtLmSsp", "logonType":"3", "processId":"0x0", "status":"0xc000006d", "subStatus":"0xc000006a", "subjectLogonId":"0x0", "subjectUserSid":"S-1-0-0", "targetUserName":"Administrador", "targetUserSid":"S-1-0-0", "workstationName":"kali"}, "system":map[string]interface {}{"channel":"Security", "computer":"WIN-AIEOJTT8UG6", "eventID":"4625", "eventRecordID":"274154", "keywords":"0x8010000000000000", "level":"0", "message":"Error de una cuenta al iniciar sesión.", "opcode":"0", "processID":"464", "providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}", "providerName":"Microsoft-Windows-Security-Auditing", "severityValue":"AUDIT_FAILURE", "systemTime":"2019-09-10T09:21:05.305697900Z", "task":"12544", "threadID":"1084", "version":"0"}}}, "decoder":map[string]interface {}{"name":"windows_eventchannel"}, "full_log":map[string]interface {}{"win":map[string]interface {}{"eventdata":map[string]interface {}{"authenticationPackageName":"NTLM", "failureReason":"%%2313", "keyLength":"0", "logonProcessName":"NtLmSsp", "logonType":"3", "processId":"0x0", "status":"0xc000006d", "subStatus":"0xc000006a", "subjectLogonId":"0x0", "subjectUserSid":"S-1-0-0", "targetUserName":"Administrador", "targetUserSid":"S-1-0-0", "workstationName":"kali"}, "system":map[string]interface {}{"channel":"Security", "computer":"WIN-AIEOJTT8UG6", "eventID":"4625", "eventRecordID":"274154", "keywords":"0x8010000000000000", "level":"0", "message":"Error de una cuenta al iniciar sesión.", "opcode":"0", "processID":"464", "providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}", "providerName":"Microsoft-Windows-Security-Auditing", "severityValue":"AUDIT_FAILURE", "systemTime":"2019-09-10T09:21:05.305697900Z", "task":"12544", "threadID":"1084", "version":"0"}}}, "id":"1568107269.1371180", "input":common.MapStr{"type":"log"}, "location":"EventChannel", "manager":map[string]interface {}{"name":"CalderaServer"}, "previous_output":"{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-09-10T09:21:05.274446300Z","eventRecordID":"274153","processID":"464","threadID":"2120","channel":"Security","computer":"WIN-AIEOJTT8UG6","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"Administrador","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"kali","keyLength":"0","processId":"0x0"}}}\n{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-09-10T09:21:05.165073200Z","eventRecordID":"274152","processID":"464","threadID":"2120","channel":"Security","computer":"WIN-AIEOJTT8UG6","severityValue":"AUDIT_FAILURE","message":"Error de una cuenta al iniciar sesión."},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"Administrador","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"kali","keyLength":"0","processId":"0x0"}}}\n{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2019-09-10T09:21:05.149448400Z",

richard.crampton · October 3, 2019, 1:50pm

Hey , did you get anywhere with this ?

system · October 31, 2019, 1:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.